[v3,8/9] btrfs: Check name_len before in btrfs_del_root_ref

Message ID	20170606095708.494-9-suy.fnst@cn.fujitsu.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-btrfs-owner@kernel.org> From: Su Yue <suy.fnst@cn.fujitsu.com> To: <linux-btrfs@vger.kernel.org> CC: <dsterba@suse.cz> Subject: [PATCH v3 8/9] btrfs: Check name_len before in btrfs_del_root_ref Date: Tue, 6 Jun 2017 17:57:07 +0800 Message-ID: <20170606095708.494-9-suy.fnst@cn.fujitsu.com> In-Reply-To: <20170606095708.494-1-suy.fnst@cn.fujitsu.com> References: <20170606095708.494-1-suy.fnst@cn.fujitsu.com> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk

Message ID

20170606095708.494-9-suy.fnst@cn.fujitsu.com (mailing list archive)

State

New, archived

Headers

From: Su Yue <suy.fnst@cn.fujitsu.com>
To: <linux-btrfs@vger.kernel.org>
CC: <dsterba@suse.cz>
Subject: [PATCH v3 8/9] btrfs: Check name_len before in btrfs_del_root_ref
Date: Tue, 6 Jun 2017 17:57:07 +0800
Message-ID: <20170606095708.494-9-suy.fnst@cn.fujitsu.com>
In-Reply-To: <20170606095708.494-1-suy.fnst@cn.fujitsu.com>
References: <20170606095708.494-1-suy.fnst@cn.fujitsu.com>
MIME-Version: 1.0
Content-Type: text/plain
Sender: linux-btrfs-owner@vger.kernel.org
Precedence: bulk

Commit Message

Su Yue June 6, 2017, 9:57 a.m. UTC

'btrfs_del_root_ref' does search_slot and reads name from root_ref.
Call 'btrfs_is_name_len_valid' before memcmp.

Signed-off-by: Su Yue <suy.fnst@cn.fujitsu.com>
---
 fs/btrfs/root-tree.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/fs/btrfs/root-tree.c b/fs/btrfs/root-tree.c
index 7d6bc308bf43..460db0cb2d07 100644
--- a/fs/btrfs/root-tree.c
+++ b/fs/btrfs/root-tree.c
@@ -390,6 +390,13 @@  int btrfs_del_root_ref(struct btrfs_trans_handle *trans,
 		WARN_ON(btrfs_root_ref_dirid(leaf, ref) != dirid);
 		WARN_ON(btrfs_root_ref_name_len(leaf, ref) != name_len);
 		ptr = (unsigned long)(ref + 1);
+		ret = btrfs_is_name_len_valid(leaf, path->slots[0], ptr,
+					      name_len);
+		if (!ret) {
+			err = -EIO;
+			goto out;
+		}
+
 		WARN_ON(memcmp_extent_buffer(leaf, name, ptr, name_len));
 		*sequence = btrfs_root_ref_sequence(leaf, ref);

[v3,8/9] btrfs: Check name_len before in btrfs_del_root_ref

Commit Message

Patch