[JFFS2] Handle dirents on the flash with embedded zero bytes in names.
In three places: summary scan, normal scan, REF_PRISTINE GC.
Just truncate at the NUL, since that was the correct thing to do in the
only case where this (inexplicable) breakage has been seen.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
diff --git a/fs/jffs2/summary.c b/fs/jffs2/summary.c
index 2a77d3f..629af01 100644
--- a/fs/jffs2/summary.c
+++ b/fs/jffs2/summary.c
@@ -429,6 +429,7 @@
case JFFS2_NODETYPE_DIRENT: {
struct jffs2_sum_dirent_flash *spd;
+ int checkedlen;
spd = sp;
dbg_summary("Dirent at 0x%08x-0x%08x\n",
@@ -436,12 +437,25 @@
jeb->offset + je32_to_cpu(spd->offset) + je32_to_cpu(spd->totlen));
- fd = jffs2_alloc_full_dirent(spd->nsize+1);
+ /* This should never happen, but https://dev.laptop.org/ticket/4184 */
+ checkedlen = strnlen(spd->name, spd->nsize);
+ if (!checkedlen) {
+ printk(KERN_ERR "Dirent at %08x has zero at start of name. Aborting mount.\n",
+ jeb->offset + je32_to_cpu(spd->offset));
+ return -EIO;
+ }
+ if (checkedlen < spd->nsize) {
+ printk(KERN_ERR "Dirent at %08x has zeroes in name. Truncating to %d chars\n",
+ jeb->offset + je32_to_cpu(spd->offset), checkedlen);
+ }
+
+
+ fd = jffs2_alloc_full_dirent(checkedlen+1);
if (!fd)
return -ENOMEM;
- memcpy(&fd->name, spd->name, spd->nsize);
- fd->name[spd->nsize] = 0;
+ memcpy(&fd->name, spd->name, checkedlen);
+ fd->name[checkedlen] = 0;
ic = jffs2_scan_make_ino_cache(c, je32_to_cpu(spd->pino));
if (!ic) {
@@ -455,7 +469,7 @@
fd->next = NULL;
fd->version = je32_to_cpu(spd->version);
fd->ino = je32_to_cpu(spd->ino);
- fd->nhash = full_name_hash(fd->name, spd->nsize);
+ fd->nhash = full_name_hash(fd->name, checkedlen);
fd->type = spd->type;
jffs2_add_fd_to_list(c, fd, &ic->scan_dents);
