See the original report [1], otherwise len + 1 will be overflowed. Note that EROFS archive can record arbitary symlink sizes in principle, so we don't assume a short number like 4096.
[1] https://lore.kernel.org/r/20250210164151.GN1233568@bill-the-cat Fixes: 830613f8f5bb ("fs/erofs: add erofs filesystem support") Signed-off-by: Gao Xiang <[email protected]> --- fs/erofs/fs.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/erofs/fs.c b/fs/erofs/fs.c index 7bd2e8fcfc..64a6c8cad8 100644 --- a/fs/erofs/fs.c +++ b/fs/erofs/fs.c @@ -63,6 +63,9 @@ static int erofs_readlink(struct erofs_inode *vi) char *target; int err; + if (len >= SIZE_MAX) + return -EFSCORRUPTED; + target = malloc(len + 1); if (!target) return -ENOMEM; -- 2.43.5
