Hi Richard, Yes you are right, thank you for catching that !
I'll publish a v2. By the way, I hope I'm doing this the right way, it's the first time I contribute to a project via email. I'm more used to contribute through github/gitlab's PR/MR, if I am not doing it properly feel free to let me know ! Regards, Allan Le ven. 22 mai 2026, 15:29, Richard GENOUD <[email protected]> a écrit : > Hi Allan, > Le 14/05/2026 à 20:18, Allan ELKAIM a écrit : > > sqfs_dir_offset() returns a negative errno on failure, but three > > call sites in sqfs_search_dir() use the return value as an array > > index without checking for errors first. If the lookup fails, > > dirs->table is set to an invalid address, leading to undefined > > behavior. > > > > Add negative-value guards after each sqfs_dir_offset() call so > > that any lookup failure propagates cleanly as an error rather > > than producing incorrect results. > > > > Note: the corresponding sqfs_find_inode() NULL checks and the > > heap exhaustion fix during symlink resolution are applied in > > separate patches. > > > > Signed-off-by: Allan ELKAIM <[email protected]> > > --- > > > > fs/squashfs/sqfs.c | 10 ++++++++++ > > 1 file changed, 10 insertions(+) > > > > diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c > > index 07e2bd82..430e9bac 100644 > > --- a/fs/squashfs/sqfs.c > > +++ b/fs/squashfs/sqfs.c > > @@ -496,6 +496,8 @@ static int sqfs_search_dir(struct > squashfs_dir_stream *dirs, char **token_list, > > > > /* get directory offset in directory table */ > > offset = sqfs_dir_offset(table, m_list, m_count); > > + if (offset < 0) > > + return offset; > > dirs->table = &dirs->dir_table[offset]; > > > > /* Setup directory header */ > > @@ -627,6 +629,10 @@ static int sqfs_search_dir(struct > squashfs_dir_stream *dirs, char **token_list, > > > > /* Get dir. offset into the directory table */ > > offset = sqfs_dir_offset(table, m_list, m_count); > > + if (offset < 0) { > > + ret = offset; > > + goto out; > > + } > Don't we need to: > free(dirs->entry); > dirs->entry = NULL; > here? > > > dirs->table = &dirs->dir_table[offset]; > > > > /* Copy directory header */ > > @@ -651,6 +657,10 @@ static int sqfs_search_dir(struct > squashfs_dir_stream *dirs, char **token_list, > > } > > > > offset = sqfs_dir_offset(table, m_list, m_count); > > + if (offset < 0) { > > + ret = offset; > > + goto out; > > + } > same here? > > > dirs->table = &dirs->dir_table[offset]; > > > > if (get_unaligned_le16(&dir->inode_type) == SQFS_DIR_TYPE) > > Thanks, > Regards, > Richard >
