udf: check partition reference in udf_read_inode()

We were checking block number without checking partition.
sbi->s_partmaps[iloc->partitionReferenceNum] could lead to
bad memory access. See udf_nfs_get_inode() path for instance.

Signed-off-by: Fabian Frederick <fabf@skynet.be>
Signed-off-by: Jan Kara <jack@suse.cz>

diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 2296c87080529adaf123a170ee2e023931536997..8ec6b3df0bc7f7dc47c3c690259df74023bb6841 100644 (file)
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -1277,6 +1277,12 @@ static int udf_read_inode(struct inode *inode, bool hidden_inode)
        int ret = -EIO;
 
 reread:
+       if (iloc->partitionReferenceNum >= sbi->s_partitions) {
+               udf_debug("partition reference: %d > logical volume partitions: %d\n",
+                         iloc->partitionReferenceNum, sbi->s_partitions);
+               return -EIO;
+       }
+
        if (iloc->logicalBlockNum >=
            sbi->s_partmaps[iloc->partitionReferenceNum].s_partition_len) {
                udf_debug("block=%d, partition=%d out of range\n",