diff options
| author | Hyungjung Joo <jhj140711@gmail.com> | 2026-03-13 16:29:43 +0300 |
|---|---|---|
| committer | David Sterba <dsterba@suse.com> | 2026-04-10 03:51:05 +0300 |
| commit | 6fa253b38b9b293a0de2a361de400557ca7666ca (patch) | |
| tree | a32d105d40728fdcc23e9a990cd02288c5a30f8e | |
| parent | c369299895a591d96745d6492d4888259b004a9e (diff) | |
| download | linux-6fa253b38b9b293a0de2a361de400557ca7666ca.tar.xz | |
affs: bound hash_pos before table lookup in affs_readdir
affs_readdir() decodes ctx->pos into hash_pos and chain_pos and then
dereferences AFFS_HEAD(dir_bh)->table[hash_pos] before validating
that hash_pos is within the runtime table bound. Treat out-of-range
positions as end-of-directory before the first table lookup.
Signed-off-by: Hyungjung Joo <jhj140711@gmail.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
| -rw-r--r-- | fs/affs/dir.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/affs/dir.c b/fs/affs/dir.c index 5c8d83387a39..075c18c4ccde 100644 --- a/fs/affs/dir.c +++ b/fs/affs/dir.c @@ -119,6 +119,8 @@ affs_readdir(struct file *file, struct dir_context *ctx) pr_debug("readdir() left off=%d\n", ino); goto inside; } + if (hash_pos >= AFFS_SB(sb)->s_hashsize) + goto done; ino = be32_to_cpu(AFFS_HEAD(dir_bh)->table[hash_pos]); for (i = 0; ino && i < chain_pos; i++) { |