diff options
| author | Ron de Bruijn <rmbruijn@gmail.com> | 2026-05-30 03:19:18 +0300 |
|---|---|---|
| committer | Namjae Jeon <linkinjeon@kernel.org> | 2026-06-05 18:20:17 +0300 |
| commit | 18760a74ef7c28df93726445b5595162e62ed341 (patch) | |
| tree | f0d393af76fda8b1b7a2c26ea9fd159666c32eae /include/linux/timerqueue.h | |
| parent | 0aad21570197973af4a1b25b3fb8ed3aeb9e7670 (diff) | |
| download | linux-18760a74ef7c28df93726445b5595162e62ed341.tar.xz | |
ntfs: fix off-by-one in mapping pairs decoding bounds checks
In ntfs_mapping_pairs_decompress(), attr_end points one byte past the
end of the attribute record:
attr_end = (u8 *)attr + le32_to_cpu(attr->length);
The two bounds checks validating that mapping pair data bytes fit within
the attribute use strict greater-than (>), which allows a one-byte
out-of-bounds read when the data extends exactly to attr_end:
b = *buf & 0xf;
if (b) {
if (unlikely(buf + b > attr_end)) // off-by-one
goto io_error;
for (deltaxcn = (s8)buf[b--]; b; b--)
deltaxcn = (deltaxcn << 8) + buf[b];
}
When buf + b == attr_end, the check evaluates to false and buf[b] reads
one byte past the valid attribute boundary. The same pattern appears in
the LCN delta bytes check.
Fix both checks to use >= so that buf[b] at exactly attr_end is
correctly rejected as out of bounds.
Cc: stable@vger.kernel.org # v7.1
Signed-off-by: Ron de Bruijn <rmbruijn@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Diffstat (limited to 'include/linux/timerqueue.h')
0 files changed, 0 insertions, 0 deletions