summaryrefslogtreecommitdiffstats
path: root/fs/udf
diff options
context:
space:
mode:
authorJan Kara <jack@suse.cz>2018-02-08 17:39:01 +0100
committerJan Kara <jack@suse.cz>2018-02-16 11:14:41 +0100
commit91c9c9ec54c1e88d9ef59a7b12cf31d6ef5d1e58 (patch)
tree9ca7e1fbc0013be28c98d09cf8965de749732b4e /fs/udf
parente1603b6effe177210701d3d7132d1b68e7bd2c93 (diff)
downloadlinux-stable-91c9c9ec54c1e88d9ef59a7b12cf31d6ef5d1e58.tar.gz
linux-stable-91c9c9ec54c1e88d9ef59a7b12cf31d6ef5d1e58.tar.bz2
linux-stable-91c9c9ec54c1e88d9ef59a7b12cf31d6ef5d1e58.zip
udf: Fix off-by-one in volume descriptor sequence length
We pass one block beyond end of volume descriptor sequence into process_sequence() as 'lastblock' instead of the last block of the sequence. When the sequence is not terminated with TD descriptor, this could lead to false errors due to invalid blocks in volume descriptor sequence and thus unmountable volumes. Acked-by: Pali Rohár <pali.rohar@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz>
Diffstat (limited to 'fs/udf')
-rw-r--r--fs/udf/super.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/fs/udf/super.c b/fs/udf/super.c
index f73239a9a97d..5c5d5fd513cc 100644
--- a/fs/udf/super.c
+++ b/fs/udf/super.c
@@ -1658,7 +1658,7 @@ static noinline int udf_process_sequence(
next_e = le32_to_cpu(
vdp->nextVolDescSeqExt.extLength);
next_e = next_e >> sb->s_blocksize_bits;
- next_e += next_s;
+ next_e += next_s - 1;
}
break;
case TAG_IDENT_IUVD: /* ISO 13346 3/10.4 */
@@ -1760,13 +1760,13 @@ static int udf_load_sequence(struct super_block *sb, struct buffer_head *bh,
main_s = le32_to_cpu(anchor->mainVolDescSeqExt.extLocation);
main_e = le32_to_cpu(anchor->mainVolDescSeqExt.extLength);
main_e = main_e >> sb->s_blocksize_bits;
- main_e += main_s;
+ main_e += main_s - 1;
/* Locate the reserve sequence */
reserve_s = le32_to_cpu(anchor->reserveVolDescSeqExt.extLocation);
reserve_e = le32_to_cpu(anchor->reserveVolDescSeqExt.extLength);
reserve_e = reserve_e >> sb->s_blocksize_bits;
- reserve_e += reserve_s;
+ reserve_e += reserve_s - 1;
/* Process the main & reserve sequences */
/* responsible for finding the PartitionDesc(s) */