[PATCH 4/4] ntfs: add bounds check before accessing EA entries

Next message: Pasha Tatashin: "Re: [PATCH 09/12] memblock: introduce MEMBLOCK_KHO_SCRATCH_EXT"
Previous message: Hyunchul Lee: "[PATCH 3/4] ntfs: validate index entries on reading"
In reply to: Hyunchul Lee: "Re: [PATCH 3/4] ntfs: validate index entries on reading"
Next in thread: CharSyam: "Re: [PATCH 4/4] ntfs: add bounds check before accessing EA entries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Hyunchul Lee

Date: Thu May 21 2026 - 20:50:07 EST

in ntfs_ea_lookup and ntfs_listxattr, this verifies that there is enough
space in the EA entry before accessing the next_entry_offset field of
the EA entry.

Signed-off-by: Hyunchul Lee <hyc.lee@xxxxxxxxx>
---
fs/ntfs/ea.c | 8 ++++++++
1 file changed, 8 insertions(+)

diff --git a/fs/ntfs/ea.c b/fs/ntfs/ea.c
index c4a4a3e3e599..323caced77ea 100644
--- a/fs/ntfs/ea.c
+++ b/fs/ntfs/ea.c
@@ -58,6 +58,9 @@ static int ntfs_ea_lookup(char *ea_buf, s64 ea_buf_size, const char *name,

offset = 0;
do {
+ if (ea_buf_size - offset < sizeof(struct ea_attr))
+ break;
+
p_ea = (const struct ea_attr *)&ea_buf[offset];
next = le32_to_cpu(p_ea->next_entry_offset);
p_ea_size = next ? next : (ea_buf_size - offset);
@@ -486,6 +489,11 @@ ssize_t ntfs_listxattr(struct dentry *dentry, char *buffer, size_t size)

offset = 0;
do {
+ if (ea_info_qsize - offset < sizeof(struct ea_attr)) {
+ err = -EIO;
+ goto out;
+ }
+
p_ea = (const struct ea_attr *)&ea_buf[offset];
next = le32_to_cpu(p_ea->next_entry_offset);
ea_size = next ? next : (ea_info_qsize - offset);

--
2.43.0