diff options
author | Jan Kara <jack@suse.cz> | 2007-06-01 00:46:29 -0700 |
---|---|---|
committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-06-01 08:18:27 -0700 |
commit | 85d71244f02583886dc20a60df2d4657d42116b4 (patch) | |
tree | 9140675832d488f40f5a4b230ff7c651a598dbf4 /fs/udf | |
parent | 296baae254c2e9ead4da5bfa57ecec86750331c7 (diff) | |
download | op-kernel-dev-85d71244f02583886dc20a60df2d4657d42116b4.zip op-kernel-dev-85d71244f02583886dc20a60df2d4657d42116b4.tar.gz |
Fix possible UDF data corruption
update_next_aext() could possibly rewrite values in elen and eloc, possibly
leading to data corruption when rewriting a file. Use temporary variables
instead. Also advance cur_epos as it can also point to an indirect extent
pointer.
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/udf')
-rw-r--r-- | fs/udf/inode.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/fs/udf/inode.c b/fs/udf/inode.c index c846155..1f01294 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -460,8 +460,8 @@ static struct buffer_head * inode_getblk(struct inode * inode, sector_t block, kernel_long_ad laarr[EXTENT_MERGE_SIZE]; struct extent_position prev_epos, cur_epos, next_epos; int count = 0, startnum = 0, endnum = 0; - uint32_t elen = 0; - kernel_lb_addr eloc; + uint32_t elen = 0, tmpelen; + kernel_lb_addr eloc, tmpeloc; int c = 1; loff_t lbcount = 0, b_off = 0; uint32_t newblocknum, newblock; @@ -520,8 +520,12 @@ static struct buffer_head * inode_getblk(struct inode * inode, sector_t block, b_off -= lbcount; offset = b_off >> inode->i_sb->s_blocksize_bits; - /* Move into indirect extent if we are at a pointer to it */ - udf_next_aext(inode, &prev_epos, &eloc, &elen, 0); + /* + * Move prev_epos and cur_epos into indirect extent if we are at + * the pointer to it + */ + udf_next_aext(inode, &prev_epos, &tmpeloc, &tmpelen, 0); + udf_next_aext(inode, &cur_epos, &tmpeloc, &tmpelen, 0); /* if the extent is allocated and recorded, return the block if the extent is not a multiple of the blocksize, round up */ |