Hi Allan,
Le 14/05/2026 à 20:18, Allan ELKAIM a écrit :
sqfs_dir_offset() returns a negative errno on failure, but three
call sites in sqfs_search_dir() use the return value as an array
index without checking for errors first. If the lookup fails,
dirs->table is set to an invalid address, leading to undefined
behavior.
Add negative-value guards after each sqfs_dir_offset() call so
that any lookup failure propagates cleanly as an error rather
than producing incorrect results.
Note: the corresponding sqfs_find_inode() NULL checks and the
heap exhaustion fix during symlink resolution are applied in
separate patches.
Signed-off-by: Allan ELKAIM <[email protected]>
---
fs/squashfs/sqfs.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
index 07e2bd82..430e9bac 100644
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -496,6 +496,8 @@ static int sqfs_search_dir(struct squashfs_dir_stream
*dirs, char **token_list,
/* get directory offset in directory table */
offset = sqfs_dir_offset(table, m_list, m_count);
+ if (offset < 0)
+ return offset;
dirs->table = &dirs->dir_table[offset];
/* Setup directory header */
@@ -627,6 +629,10 @@ static int sqfs_search_dir(struct squashfs_dir_stream
*dirs, char **token_list,
/* Get dir. offset into the directory table */
offset = sqfs_dir_offset(table, m_list, m_count);
+ if (offset < 0) {
+ ret = offset;
+ goto out;
+ }
Don't we need to:
free(dirs->entry);
dirs->entry = NULL;
here?
dirs->table = &dirs->dir_table[offset];
/* Copy directory header */
@@ -651,6 +657,10 @@ static int sqfs_search_dir(struct squashfs_dir_stream
*dirs, char **token_list,
}
offset = sqfs_dir_offset(table, m_list, m_count);
+ if (offset < 0) {
+ ret = offset;
+ goto out;
+ }
same here?
dirs->table = &dirs->dir_table[offset];
if (get_unaligned_le16(&dir->inode_type) == SQFS_DIR_TYPE)
Thanks,
Regards,
Richard
