If the superblock has a revision level of 0, then s_inode_size is
undefined, and the actual inode size is 128 bytes. This is handled by
the EXT2_INODE_SIZE() helper macro. If s_inode_size is maliciously
set to a large value, and the s_rev_level is 0, then this could result
in an illegal memory pointer dereference.
Addresses-Debian-Bug: #878104
Reported-by: Jakub Wilk <jwilk@jwilk.net>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
{
__u32 gen;
struct ext2_inode_large *desc = inode;
- size_t size = fs->super->s_inode_size;
+ size_t size = EXT2_INODE_SIZE(fs->super);
__u16 old_lo;
__u16 old_hi = 0;