When things go wrong for lzo-compressed btrfs, feeding lzo1x_decompress_safe()
with corrupt data during restore can lead to crashes. Reduce the risk by adding
a check on the input length.
Signed-off-by: Vincent Stehlé <vincent.ste...@laposte.net>
---
Hi,
This patch actually allowed me to finish a btrfs restore of a damaged
filesystem, which was repeateadly crashing otherwise. This was with v3.12, but
I think it still makes sense.
Best regards,
V.
cmds-restore.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/cmds-restore.c b/cmds-restore.c
index 96b97e1..4338493 100644
--- a/cmds-restore.c
+++ b/cmds-restore.c
@@ -115,6 +115,12 @@ static int decompress_lzo(unsigned char *inbuf, char
*outbuf, u64 compress_len,
while (tot_in < tot_len) {
in_len = read_compress_length(inbuf);
+
+ if ((tot_in + LZO_LEN + in_len) > tot_len) {
+ fprintf(stderr, "bad compress length %lu\n", in_len);
+ return -1;
+ }
+
inbuf += LZO_LEN;
tot_in += LZO_LEN;
--
2.0.0
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
