fsck.f2fs: sanity check segno and blk_off when building curseg array

segno and blk_off were read from input image without sanity check. This could lead to buffer overflow when accessing internal arrays like SIT sentries and seg_entry cur_valid_map. Bug: 36266023 Change-Id: I09a54c61707ec40607bb8314276875ce7ab4c22a Signed-off-by: Jin Qian <jinqian@google.com> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
author: Jin Qian <jinqian@google.com> 2017-04-27 15:45:28 -0700
committer: Jin Qian <jinqian@google.com> 2017-05-08 14:33:20 -0700
commit: 8be4c2d04755d8d7b3c4dd9b15b1b1345c53d14a (patch)
tree: facc8bb616affb04d86d67c7ac996c882c7c5782 /fsck
parent: 2010f975eefe4bb74623a0699527bea4ba726c06 (diff)
download: f2fs-tools-8be4c2d04755d8d7b3c4dd9b15b1b1345c53d14a.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/fsck/mount.c b/fsck/mount.c
index ae1a2ff..b8e8c45 100644
--- a/fsck/mount.c
+++ b/fsck/mount.c
@@ -1045,6 +1045,9 @@ static void build_curseg(struct f2fs_sb_info *sbi)
 			blk_off = get_cp(cur_node_blkoff[i - CURSEG_HOT_NODE]);
 			segno = get_cp(cur_node_segno[i - CURSEG_HOT_NODE]);
 		}
+		ASSERT(segno < TOTAL_SEGS(sbi));
+		ASSERT(blk_off < DEFAULT_BLOCKS_PER_SEGMENT);
+
 		array[i].segno = segno;
 		array[i].zone = GET_ZONENO_FROM_SEGNO(sbi, segno);
 		array[i].next_segno = NULL_SEGNO;
author	Jin Qian <jinqian@google.com>	2017-04-27 15:45:28 -0700
committer	Jin Qian <jinqian@google.com>	2017-05-08 14:33:20 -0700
commit	8be4c2d04755d8d7b3c4dd9b15b1b1345c53d14a (patch)
tree	facc8bb616affb04d86d67c7ac996c882c7c5782 /fsck
parent	2010f975eefe4bb74623a0699527bea4ba726c06 (diff)
download	f2fs-tools-8be4c2d04755d8d7b3c4dd9b15b1b1345c53d14a.tar.gz