ext4: Avoid out-of-bounds access of block bitmap

If the blocksize is 1024, count is initialized with 1. Incrementing count by 8 will never match (count == fs->blksz * 8), and ptr may be incremented beyond the buffer end if the bitmap is filled. Add the startblock offset after the loop. Remove the second loop, as only the first iteration will be done. Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de> Reviewed-by: Lukasz Majewski <l.majewski@samsung.com>
2025-03-17 12:41:32 +00:00 · 2016-09-06 04:36:50 +02:00 · 2016-09-06 04:36:50 +02:00 · 0ceef3d371
commit 0ceef3d371
parent a9fa0ed183
1 changed files with 12 additions and 22 deletions
--- a/fs/ext4/ext4_common.c
+++ b/fs/ext4/ext4_common.c
@ -163,18 +163,12 @@ static int _get_new_inode_no(unsigned char *buffer)

 static int _get_new_blk_no(unsigned char *buffer)
 {
-	unsigned char input;
-	int operand, status;
+	int operand;
 	int count = 0;
-	int j = 0;
+	int i;
 	unsigned char *ptr = buffer;
 	struct ext_filesystem *fs = get_fs();

-	if (fs->blksz != 1024)
-		count = 0;
-	else
-		count = 1;
-
 	while (*ptr == 255) {
 		ptr++;
 		count += 8;
@ -182,21 +176,17 @@ static int _get_new_blk_no(unsigned char *buffer)
 			return -1;
 	}

-	for (j = 0; j < fs->blksz; j++) {
-		input = *ptr;
-		int i = 0;
-		while (i <= 7) {
-			operand = 1 << i;
-			status = input & operand;
-			if (status) {
-				i++;
-				count++;
-			} else {
-				*ptr |= operand;
-				return count;
-			}
+	if (fs->blksz == 1024)
+		count += 1;
+
+	for (i = 0; i <= 7; i++) {
+		operand = 1 << i;
+		if (*ptr & operand) {
+			count++;
+		} else {
+			*ptr |= operand;
+			return count;
 		}
-		ptr = ptr + 1;
 	}

 	return -1;