[PATCH v1 2/2] fs/squashfs: add sqfs_dir_offset() error checks

Richard GENOUD richard.genoud at bootlin.com
Fri May 22 15:29:06 CEST 2026 

Hi Allan,
Le 14/05/2026 à 20:18, Allan ELKAIM a écrit :
> sqfs_dir_offset() returns a negative errno on failure, but three
> call sites in sqfs_search_dir() use the return value as an array
> index without checking for errors first. If the lookup fails,
> dirs->table is set to an invalid address, leading to undefined
> behavior.
> 
> Add negative-value guards after each sqfs_dir_offset() call so
> that any lookup failure propagates cleanly as an error rather
> than producing incorrect results.
> 
> Note: the corresponding sqfs_find_inode() NULL checks and the
> heap exhaustion fix during symlink resolution are applied in
> separate patches.
> 
> Signed-off-by: Allan ELKAIM <allan.elkaim at gmail.com>
> ---
> 
>   fs/squashfs/sqfs.c | 10 ++++++++++
>   1 file changed, 10 insertions(+)
> 
> diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
> index 07e2bd82..430e9bac 100644
> --- a/fs/squashfs/sqfs.c
> +++ b/fs/squashfs/sqfs.c
> @@ -496,6 +496,8 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
>   
>   	/* get directory offset in directory table */
>   	offset = sqfs_dir_offset(table, m_list, m_count);
> +	if (offset < 0)
> +		return offset;
>   	dirs->table = &dirs->dir_table[offset];
>   
>   	/* Setup directory header */
> @@ -627,6 +629,10 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
>   
>   		/* Get dir. offset into the directory table */
>   		offset = sqfs_dir_offset(table, m_list, m_count);
> +		if (offset < 0) {
> +			ret = offset;
> +			goto out;
> +		}
Don't we need to:
	free(dirs->entry);
	dirs->entry = NULL;
here?

>   		dirs->table = &dirs->dir_table[offset];
>   
>   		/* Copy directory header */
> @@ -651,6 +657,10 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
>   	}
>   
>   	offset = sqfs_dir_offset(table, m_list, m_count);
> +	if (offset < 0) {
> +		ret = offset;
> +		goto out;
> +	}
same here?

>   	dirs->table = &dirs->dir_table[offset];
>   
>   	if (get_unaligned_le16(&dir->inode_type) == SQFS_DIR_TYPE)

Thanks,
Regards,
Richard

More information about the U-Boot mailing list