udf: check partition reference in udf_read_inode()

We were checking block number without checking partition. sbi->s_partmaps[iloc->partitionReferenceNum] could lead to bad memory access. See udf_nfs_get_inode() path for instance. Signed-off-by: Fabian Frederick <[email protected]> Signed-off-by: Jan Kara <[email protected]>
subfuzion · Jan 10, 2017 · 1d82a56 · 1d82a56
1 parent 23bcda1
commit 1d82a56
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/fs/udf/inode.c b/fs/udf/inode.c
@@ -1277,6 +1277,12 @@ static int udf_read_inode(struct inode *inode, bool hidden_inode)
 	int ret = -EIO;
 
 reread:
+	if (iloc->partitionReferenceNum >= sbi->s_partitions) {
+		udf_debug("partition reference: %d > logical volume partitions: %d\n",
+			  iloc->partitionReferenceNum, sbi->s_partitions);
+		return -EIO;
+	}
+
 	if (iloc->logicalBlockNum >=
 	    sbi->s_partmaps[iloc->partitionReferenceNum].s_partition_len) {
 		udf_debug("block=%d, partition=%d out of range\n",