btrfs: Check name_len in btrfs_check_ref_name_override
authorSu Yue <suy.fnst@cn.fujitsu.com>
Tue, 6 Jun 2017 09:57:04 +0000 (17:57 +0800)
committerDavid Sterba <dsterba@suse.com>
Wed, 21 Jun 2017 17:16:04 +0000 (19:16 +0200)
In btrfs_log_inode, btrfs_search_forward gets the buffer and then
btrfs_check_ref_name_override will read name from ref/extref for the
first time.

Call btrfs_is_name_len_valid before reading name.

Signed-off-by: Su Yue <suy.fnst@cn.fujitsu.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
fs/btrfs/tree-log.c

index 06c7ceb07282a516924dffd472b80b81a7595801..f20ef211a73d081f38f8ebac80b315d7ee30112e 100644 (file)
@@ -4562,6 +4562,12 @@ static int btrfs_check_ref_name_override(struct extent_buffer *eb,
                        this_len = sizeof(*extref) + this_name_len;
                }
 
+               ret = btrfs_is_name_len_valid(eb, slot, name_ptr,
+                                             this_name_len);
+               if (!ret) {
+                       ret = -EIO;
+                       goto out;
+               }
                if (this_name_len > name_len) {
                        char *new_name;