From: Allan ELKAIM <allan.elkaim@gmail.com>
To: u-boot@lists.denx.de
Cc: Miquel Raynal <miquel.raynal@bootlin.com>,
Joao Marcos Costa <jmcosta944@gmail.com>,
Thomas Petazzoni <thomas.petazzoni@bootlin.com>,
Tom Rini <trini@konsulko.com>,
Allan ELKAIM <allan.elkaim@gmail.com>
Subject: [PATCH v1 2/2] fs/squashfs: add sqfs_dir_offset() error checks
Date: Thu, 14 May 2026 20:18:53 +0200 [thread overview]
Message-ID: <20260514181854.399679-6-allan.elkaim@gmail.com> (raw)
In-Reply-To: <20260514181854.399679-3-allan.elkaim@gmail.com>
sqfs_dir_offset() returns a negative errno on failure, but three
call sites in sqfs_search_dir() use the return value as an array
index without checking for errors first. If the lookup fails,
dirs->table is set to an invalid address, leading to undefined
behavior.
Add negative-value guards after each sqfs_dir_offset() call so
that any lookup failure propagates cleanly as an error rather
than producing incorrect results.
Note: the corresponding sqfs_find_inode() NULL checks and the
heap exhaustion fix during symlink resolution are applied in
separate patches.
Signed-off-by: Allan ELKAIM <allan.elkaim@gmail.com>
---
fs/squashfs/sqfs.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
index 07e2bd82..430e9bac 100644
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -496,6 +496,8 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
/* get directory offset in directory table */
offset = sqfs_dir_offset(table, m_list, m_count);
+ if (offset < 0)
+ return offset;
dirs->table = &dirs->dir_table[offset];
/* Setup directory header */
@@ -627,6 +629,10 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
/* Get dir. offset into the directory table */
offset = sqfs_dir_offset(table, m_list, m_count);
+ if (offset < 0) {
+ ret = offset;
+ goto out;
+ }
dirs->table = &dirs->dir_table[offset];
/* Copy directory header */
@@ -651,6 +657,10 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
}
offset = sqfs_dir_offset(table, m_list, m_count);
+ if (offset < 0) {
+ ret = offset;
+ goto out;
+ }
dirs->table = &dirs->dir_table[offset];
if (get_unaligned_le16(&dir->inode_type) == SQFS_DIR_TYPE)
--
2.53.0
prev parent reply other threads:[~2026-05-14 23:40 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <"CACgNL-F2=KJtZ+gThpx_BuWsn6puqFxK0uLOmnABSS9=rRQmeQ@mail.gmail.com">
2026-05-14 18:18 ` [PATCH v1 0/2] fs/squashfs: fix symlink load failure on large images Allan ELKAIM
2026-05-14 18:18 ` [PATCH v1 1/2] fs/squashfs: fix heap exhaustion during symlink resolution Allan ELKAIM
2026-05-14 18:18 ` Allan ELKAIM [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260514181854.399679-6-allan.elkaim@gmail.com \
--to=allan.elkaim@gmail.com \
--cc=jmcosta944@gmail.com \
--cc=miquel.raynal@bootlin.com \
--cc=thomas.petazzoni@bootlin.com \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.