summaryrefslogtreecommitdiff
path: root/fs
diff options
context:
space:
mode:
authorEric Sandeen <sandeen@redhat.com>2020-08-27 00:11:58 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2020-09-09 20:04:26 +0300
commit017265f1421529a473c25dc46a0cee98facbb1a3 (patch)
tree85e23dbc8b60b6a120d8fd23dac5f1a0831fc2a7 /fs
parentfd7b07382fff9ff6d090adfa0236d28b6b21402c (diff)
downloadlinux-017265f1421529a473c25dc46a0cee98facbb1a3.tar.xz
xfs: fix boundary test in xfs_attr_shortform_verify
[ Upstream commit f4020438fab05364018c91f7e02ebdd192085933 ] The boundary test for the fixed-offset parts of xfs_attr_sf_entry in xfs_attr_shortform_verify is off by one, because the variable array at the end is defined as nameval[1] not nameval[]. Hence we need to subtract 1 from the calculation. This can be shown by: # touch file # setfattr -n root.a file and verifications will fail when it's written to disk. This only matters for a last attribute which has a single-byte name and no value, otherwise the combination of namelen & valuelen will push endp further out and this test won't fail. Fixes: 1e1bbd8e7ee06 ("xfs: create structure verifier function for shortform xattrs") Signed-off-by: Eric Sandeen <sandeen@redhat.com> Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'fs')
-rw-r--r--fs/xfs/libxfs/xfs_attr_leaf.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
index 2652d00842d6..087a5715cf20 100644
--- a/fs/xfs/libxfs/xfs_attr_leaf.c
+++ b/fs/xfs/libxfs/xfs_attr_leaf.c
@@ -935,8 +935,10 @@ xfs_attr_shortform_verify(
* struct xfs_attr_sf_entry has a variable length.
* Check the fixed-offset parts of the structure are
* within the data buffer.
+ * xfs_attr_sf_entry is defined with a 1-byte variable
+ * array at the end, so we must subtract that off.
*/
- if (((char *)sfep + sizeof(*sfep)) >= endp)
+ if (((char *)sfep + sizeof(*sfep) - 1) >= endp)
return __this_address;
/* Don't allow names with known bad length. */