From: Richard Weinberger Date: Fri, 2 Aug 2024 16:36:46 +0000 (+0200) Subject: squashfs: Check sqfs_find_inode() return value X-Git-Tag: v2025.01-rc5-pxa1908~170^2~117 X-Git-Url: http://git.dujemihanovic.xyz/img/static/gitweb.css?a=commitdiff_plain;h=3fb1df1e57ee26f4b92932de804ef265e5ae0d3b;p=u-boot.git squashfs: Check sqfs_find_inode() return value The function can fail and return NULL. Signed-off-by: Richard Weinberger Reviewed-by: Miquel Raynal --- diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c index 16a07c0622..fa99d514f2 100644 --- a/fs/squashfs/sqfs.c +++ b/fs/squashfs/sqfs.c @@ -474,6 +474,8 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list, /* Start by root inode */ table = sqfs_find_inode(dirs->inode_table, le32_to_cpu(sblk->inodes), sblk->inodes, sblk->block_size); + if (!table) + return -EINVAL; dir = (struct squashfs_dir_inode *)table; ldir = (struct squashfs_ldir_inode *)table; @@ -529,6 +531,8 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list, /* Get reference to inode in the inode table */ table = sqfs_find_inode(dirs->inode_table, new_inode_number, sblk->inodes, sblk->block_size); + if (!table) + return -EINVAL; dir = (struct squashfs_dir_inode *)table; /* Check for symbolic link and inode type sanity */ @@ -1025,6 +1029,8 @@ int sqfs_readdir(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp) i_number = dirs->dir_header->inode_number + dirs->entry->inode_offset; ipos = sqfs_find_inode(dirs->inode_table, i_number, sblk->inodes, sblk->block_size); + if (!ipos) + return -SQFS_STOP_READDIR; base = (struct squashfs_base_inode *)ipos; @@ -1381,6 +1387,10 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len, i_number = dirs->dir_header->inode_number + dirs->entry->inode_offset; ipos = sqfs_find_inode(dirs->inode_table, i_number, sblk->inodes, sblk->block_size); + if (!ipos) { + ret = -EINVAL; + goto out; + } base = (struct squashfs_base_inode *)ipos; switch (get_unaligned_le16(&base->inode_type)) { @@ -1629,6 +1639,13 @@ int sqfs_size(const char *filename, loff_t *size) i_number = dirs->dir_header->inode_number + dirs->entry->inode_offset; ipos = sqfs_find_inode(dirs->inode_table, i_number, sblk->inodes, sblk->block_size); + + if (!ipos) { + *size = 0; + ret = -EINVAL; + goto free_strings; + } + free(dirs->entry); dirs->entry = NULL;