Verify that the loaded zone count is in the valid range before using it as a loop iterator. Also validate the region_count to catch cases where too few regions are defined.
Signed-off-by: Matthew Sakai <[email protected]> --- drivers/md/dm-vdo/indexer/index-layout.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/md/dm-vdo/indexer/index-layout.c b/drivers/md/dm-vdo/indexer/index-layout.c index 61edf2b72427..90a2e4b7345c 100644 --- a/drivers/md/dm-vdo/indexer/index-layout.c +++ b/drivers/md/dm-vdo/indexer/index-layout.c @@ -1444,8 +1444,11 @@ static int __must_check reconstruct_index_save(struct index_save_layout *isl, u64 next_block = isl->index_save.start_block; u64 last_block = next_block + isl->index_save.block_count; - isl->zone_count = table->header.region_count - 3; + if (table->header.region_count < 4) + return vdo_log_error_strerror(UDS_CORRUPT_DATA, + "invalid region count"); + isl->zone_count = table->header.region_count - 3; last_region = &table->regions[table->header.region_count - 1]; if (last_region->kind == RL_KIND_EMPTY) { isl->free_space = *last_region; @@ -1459,6 +1462,10 @@ static int __must_check reconstruct_index_save(struct index_save_layout *isl, }; } + if (isl->zone_count > MAX_ZONES) + return vdo_log_error_strerror(UDS_CORRUPT_DATA, + "invalid zone count"); + isl->header = table->regions[0]; result = verify_region(&isl->header, next_block++, RL_KIND_HEADER, RL_SOLE_INSTANCE); -- 2.48.1
