e2fsck: validate i_extra_size in ext4_fc_handle_inode

Addresses-Coverity-Bug: 1500765 Signed-off-by: Theodore Ts'o <tytso@mit.edu>
author: Theodore Ts'o <tytso@mit.edu> 2022-08-12 15:48:04 -0400
committer: Theodore Ts'o <tytso@mit.edu> 2022-08-12 15:48:04 -0400
commit: 64d576a89959bfdcf5415be2c36c06549562cbb2 (patch)
tree: 043e3e05029522a58788effd8fc9ecc18eec33ab
parent: 164201425ec292ac25b93b61694fe6843cac74fd (diff)
download: e2fsprogs-64d576a89959bfdcf5415be2c36c06549562cbb2.tar.gz
1 files changed, 12 insertions, 2 deletions
diff --git a/e2fsck/journal.c b/e2fsck/journal.c
index 571de83e9..1646b479b 100644
--- a/e2fsck/journal.c
+++ b/e2fsck/journal.c
@@ -747,9 +747,19 @@ static int ext4_fc_handle_inode(e2fsck_t ctx, __u8 *val)
 	fc_raw_inode = val + sizeof(fc_ino);
 	ino = le32_to_cpu(fc_ino);
 
-	if (EXT2_INODE_SIZE(ctx->fs->super) > EXT2_GOOD_OLD_INODE_SIZE)
-		inode_len += ext2fs_le16_to_cpu(
+	if (EXT2_INODE_SIZE(ctx->fs->super) > EXT2_GOOD_OLD_INODE_SIZE) {
+		__u16 extra_isize = ext2fs_le16_to_cpu(
 			((struct ext2_inode_large *)fc_raw_inode)->i_extra_isize);
+
+		if ((extra_isize < (sizeof(inode->i_extra_isize) +
+				    sizeof(inode->i_checksum_hi))) ||
+		    (extra_isize > (EXT2_INODE_SIZE(ctx->fs->super) -
+				    EXT2_GOOD_OLD_INODE_SIZE))) {
+			err = EFSCORRUPTED;
+			goto out;
+		}
+		inode_len += extra_isize;
+	}
 	err = ext2fs_get_mem(inode_len, &inode);
 	if (err)
 		goto out;
author	Theodore Ts'o <tytso@mit.edu>	2022-08-12 15:48:04 -0400
committer	Theodore Ts'o <tytso@mit.edu>	2022-08-12 15:48:04 -0400
commit	64d576a89959bfdcf5415be2c36c06549562cbb2 (patch)
tree	043e3e05029522a58788effd8fc9ecc18eec33ab
parent	164201425ec292ac25b93b61694fe6843cac74fd (diff)
download	e2fsprogs-64d576a89959bfdcf5415be2c36c06549562cbb2.tar.gz