[PATCH v2 2/3] fs/squashfs: add sqfs_dir_offset() error checks

Richard GENOUD richard.genoud at bootlin.com
Wed Jun 24 16:49:50 CEST 2026 

Le 11/06/2026 à 11:43, Allan ELKAIM a écrit :
> sqfs_dir_offset() returns a negative errno on failure, but three
> call sites in sqfs_search_dir() use the return value as an array
> index without checking for errors first. If the lookup fails,
> dirs->table is set to an invalid address, leading to undefined
> behavior.
> 
> Add negative-value guards after each sqfs_dir_offset() call so
> that any lookup failure propagates cleanly as an error rather
> than producing incorrect results.
> 
> Note: the corresponding sqfs_find_inode() NULL checks and the
> heap exhaustion fix during symlink resolution are applied in
> separate patches.
> 
> Signed-off-by: Allan ELKAIM <allan.elkaim at gmail.com>
> Acked-by: Miquel Raynal <miquel.raynal at bootlin.com>

nip-tick: It's more common to put the Acked/Reviewed-by you gathered 
before your Signed-off-by, but IHMO, you don't have to send another 
revision just for that.

Reviewed-by: Richard Genoud <richard.genoud at bootlin.com>


Thanks!
> ---
> 
> Changes in v2:
> - Free dirs->entry and reset it to NULL in the two error paths
>    reachable while a directory entry is held, so a lookup failure
>    no longer leaks the entry (reported by Richard Genoud)
> 
>   fs/squashfs/sqfs.c | 14 ++++++++++++++
>   1 file changed, 14 insertions(+)
> 
> diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
> index 07e2bd82..af32d008 100644
> --- a/fs/squashfs/sqfs.c
> +++ b/fs/squashfs/sqfs.c
> @@ -496,6 +496,8 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
>   
>   	/* get directory offset in directory table */
>   	offset = sqfs_dir_offset(table, m_list, m_count);
> +	if (offset < 0)
> +		return offset;
>   	dirs->table = &dirs->dir_table[offset];
>   
>   	/* Setup directory header */
> @@ -627,6 +629,12 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
>   
>   		/* Get dir. offset into the directory table */
>   		offset = sqfs_dir_offset(table, m_list, m_count);
> +		if (offset < 0) {
> +			free(dirs->entry);
> +			dirs->entry = NULL;
> +			ret = offset;
> +			goto out;
> +		}
>   		dirs->table = &dirs->dir_table[offset];
>   
>   		/* Copy directory header */
> @@ -651,6 +659,12 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
>   	}
>   
>   	offset = sqfs_dir_offset(table, m_list, m_count);
> +	if (offset < 0) {
> +		free(dirs->entry);
> +		dirs->entry = NULL;
> +		ret = offset;
> +		goto out;
> +	}
>   	dirs->table = &dirs->dir_table[offset];
>   
>   	if (get_unaligned_le16(&dir->inode_type) == SQFS_DIR_TYPE)

More information about the U-Boot mailing list