summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Kara <jack@suse.cz>2007-08-30 23:56:22 -0700
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-08-31 01:42:22 -0700
commitf5cc15dac55d4943176f84681f37aa48094ffa8b (patch)
tree94eb6a351096fda5403bc5c98d686bfefedb9ba5
parentbcec44770cc65660369ae17b4e44be027a64a46c (diff)
downloadkernel-crypto-f5cc15dac55d4943176f84681f37aa48094ffa8b.tar.gz
kernel-crypto-f5cc15dac55d4943176f84681f37aa48094ffa8b.tar.xz
kernel-crypto-f5cc15dac55d4943176f84681f37aa48094ffa8b.zip
Fix possible NULL pointer dereference in udf_table_free_blocks()
Fix possible NULL pointer dereference when freeing blocks in case table of free space is used. Also fix handling of the case when we need to move extent from one block to another one to make space for indirect extent. BTW: Nobody seem to have ever used this code. Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--fs/udf/balloc.c10
1 files changed, 4 insertions, 6 deletions
diff --git a/fs/udf/balloc.c b/fs/udf/balloc.c
index 276f7207a56..87e87dcd3f9 100644
--- a/fs/udf/balloc.c
+++ b/fs/udf/balloc.c
@@ -540,26 +540,24 @@ static void udf_table_free_blocks(struct super_block *sb,
if (epos.offset + adsize > sb->s_blocksize) {
loffset = epos.offset;
aed->lengthAllocDescs = cpu_to_le32(adsize);
- sptr = UDF_I_DATA(inode) + epos.offset -
- udf_file_entry_alloc_offset(inode) +
- UDF_I_LENEATTR(inode) - adsize;
+ sptr = UDF_I_DATA(table) + epos.offset - adsize;
dptr = epos.bh->b_data + sizeof(struct allocExtDesc);
memcpy(dptr, sptr, adsize);
epos.offset = sizeof(struct allocExtDesc) + adsize;
} else {
loffset = epos.offset + adsize;
aed->lengthAllocDescs = cpu_to_le32(0);
- sptr = oepos.bh->b_data + epos.offset;
- epos.offset = sizeof(struct allocExtDesc);
-
if (oepos.bh) {
+ sptr = oepos.bh->b_data + epos.offset;
aed = (struct allocExtDesc *)oepos.bh->b_data;
aed->lengthAllocDescs =
cpu_to_le32(le32_to_cpu(aed->lengthAllocDescs) + adsize);
} else {
+ sptr = UDF_I_DATA(table) + epos.offset;
UDF_I_LENALLOC(table) += adsize;
mark_inode_dirty(table);
}
+ epos.offset = sizeof(struct allocExtDesc);
}
if (UDF_SB_UDFREV(sb) >= 0x0200)
udf_new_tag(epos.bh->b_data, TAG_IDENT_AED, 3, 1,