| From f4020438fab05364018c91f7e02ebdd192085933 Mon Sep 17 00:00:00 2001 |
| From: Eric Sandeen <sandeen@redhat.com> |
| Date: Wed, 26 Aug 2020 14:11:58 -0700 |
| Subject: [PATCH] xfs: fix boundary test in xfs_attr_shortform_verify |
| |
| commit f4020438fab05364018c91f7e02ebdd192085933 upstream. |
| |
| The boundary test for the fixed-offset parts of xfs_attr_sf_entry in |
| xfs_attr_shortform_verify is off by one, because the variable array |
| at the end is defined as nameval[1] not nameval[]. |
| Hence we need to subtract 1 from the calculation. |
| |
| This can be shown by: |
| |
| # touch file |
| # setfattr -n root.a file |
| |
| and verifications will fail when it's written to disk. |
| |
| This only matters for a last attribute which has a single-byte name |
| and no value, otherwise the combination of namelen & valuelen will |
| push endp further out and this test won't fail. |
| |
| Fixes: 1e1bbd8e7ee06 ("xfs: create structure verifier function for shortform xattrs") |
| Signed-off-by: Eric Sandeen <sandeen@redhat.com> |
| Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com> |
| Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> |
| Reviewed-by: Christoph Hellwig <hch@lst.de> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c |
| index 8623c815164a..383b08f2ac61 100644 |
| --- a/fs/xfs/libxfs/xfs_attr_leaf.c |
| +++ b/fs/xfs/libxfs/xfs_attr_leaf.c |
| @@ -1036,8 +1036,10 @@ xfs_attr_shortform_verify( |
| * struct xfs_attr_sf_entry has a variable length. |
| * Check the fixed-offset parts of the structure are |
| * within the data buffer. |
| + * xfs_attr_sf_entry is defined with a 1-byte variable |
| + * array at the end, so we must subtract that off. |
| */ |
| - if (((char *)sfep + sizeof(*sfep)) >= endp) |
| + if (((char *)sfep + sizeof(*sfep) - 1) >= endp) |
| return __this_address; |
| |
| /* Don't allow names with known bad length. */ |
| -- |
| 2.27.0 |
| |