sqfs_dir_offset() returns a negative errno on failure, but three call sites in sqfs_search_dir() use the return value as an array index without checking for errors first. If the lookup fails, dirs->table is set to an invalid address, leading to undefined behavior.
Add negative-value guards after each sqfs_dir_offset() call so that any lookup failure propagates cleanly as an error rather than producing incorrect results. Note: the corresponding sqfs_find_inode() NULL checks and the heap exhaustion fix during symlink resolution are applied in separate patches. Signed-off-by: Allan ELKAIM <[email protected]> --- fs/squashfs/sqfs.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c index 07e2bd82..430e9bac 100644 --- a/fs/squashfs/sqfs.c +++ b/fs/squashfs/sqfs.c @@ -496,6 +496,8 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list, /* get directory offset in directory table */ offset = sqfs_dir_offset(table, m_list, m_count); + if (offset < 0) + return offset; dirs->table = &dirs->dir_table[offset]; /* Setup directory header */ @@ -627,6 +629,10 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list, /* Get dir. offset into the directory table */ offset = sqfs_dir_offset(table, m_list, m_count); + if (offset < 0) { + ret = offset; + goto out; + } dirs->table = &dirs->dir_table[offset]; /* Copy directory header */ @@ -651,6 +657,10 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list, } offset = sqfs_dir_offset(table, m_list, m_count); + if (offset < 0) { + ret = offset; + goto out; + } dirs->table = &dirs->dir_table[offset]; if (get_unaligned_le16(&dir->inode_type) == SQFS_DIR_TYPE) -- 2.53.0
