From: Theodore Ts'o <tytso@mit.edu>
Date: Fri, 12 Aug 2022 19:48:04 +0000 (-0400)
Subject: e2fsck: validate i_extra_size in ext4_fc_handle_inode
X-Git-Tag: v1.46.6-rc1~19
X-Git-Url: https://git.whamcloud.com/?a=commitdiff_plain;h=64d576a89959bfdcf5415be2c36c06549562cbb2;p=tools%2Fe2fsprogs.git

e2fsck: validate i_extra_size in ext4_fc_handle_inode

Addresses-Coverity-Bug: 1500765
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---

diff --git a/e2fsck/journal.c b/e2fsck/journal.c
index 571de83..1646b47 100644
--- a/e2fsck/journal.c
+++ b/e2fsck/journal.c
@@ -747,9 +747,19 @@ static int ext4_fc_handle_inode(e2fsck_t ctx, __u8 *val)
 	fc_raw_inode = val + sizeof(fc_ino);
 	ino = le32_to_cpu(fc_ino);
 
-	if (EXT2_INODE_SIZE(ctx->fs->super) > EXT2_GOOD_OLD_INODE_SIZE)
-		inode_len += ext2fs_le16_to_cpu(
+	if (EXT2_INODE_SIZE(ctx->fs->super) > EXT2_GOOD_OLD_INODE_SIZE) {
+		__u16 extra_isize = ext2fs_le16_to_cpu(
 			((struct ext2_inode_large *)fc_raw_inode)->i_extra_isize);
+
+		if ((extra_isize < (sizeof(inode->i_extra_isize) +
+				    sizeof(inode->i_checksum_hi))) ||
+		    (extra_isize > (EXT2_INODE_SIZE(ctx->fs->super) -
+				    EXT2_GOOD_OLD_INODE_SIZE))) {
+			err = EFSCORRUPTED;
+			goto out;
+		}
+		inode_len += extra_isize;
+	}
 	err = ext2fs_get_mem(inode_len, &inode);
 	if (err)
 		goto out;