Skip to content

Commit de885e3

Browse files
adam900710kdave
adam900710
authored and
kdave
committed
btrfs: lzo: Harden inline lzo compressed extent decompression
For inlined extent, we only have one segment, thus less things to check. And further more, inlined extent always has the csum in its leaf header, it's less probable to have corrupted data. Anyway, still check header and segment header. Signed-off-by: Qu Wenruo <wqu@suse.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com>
1 parent 314bfa4 commit de885e3

File tree

1 file changed

+10
-1
lines changed

1 file changed

+10
-1
lines changed

fs/btrfs/lzo.c

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -430,15 +430,24 @@ static int lzo_decompress(struct list_head *ws, unsigned char *data_in,
430430
struct workspace *workspace = list_entry(ws, struct workspace, list);
431431
size_t in_len;
432432
size_t out_len;
433+
size_t max_segment_len = lzo1x_worst_compress(PAGE_SIZE);
433434
int ret = 0;
434435
char *kaddr;
435436
unsigned long bytes;
436437

437-
BUG_ON(srclen < LZO_LEN);
438+
if (srclen < LZO_LEN || srclen > max_segment_len + LZO_LEN * 2)
439+
return -EUCLEAN;
438440

441+
in_len = read_compress_length(data_in);
442+
if (in_len != srclen)
443+
return -EUCLEAN;
439444
data_in += LZO_LEN;
440445

441446
in_len = read_compress_length(data_in);
447+
if (in_len != srclen - LZO_LEN * 2) {
448+
ret = -EUCLEAN;
449+
goto out;
450+
}
442451
data_in += LZO_LEN;
443452

444453
out_len = PAGE_SIZE;

0 commit comments

Comments
 (0)