--- fs/bfs/inode.c.0 2018-06-15 11:41:58.096196504 +0100 +++ fs/bfs/inode.c 2018-06-15 21:43:32.446336657 +0100 @@ -1,7 +1,7 @@ /* * fs/bfs/inode.c * BFS superblock and inode operations. - * Copyright (C) 1999-2006 Tigran Aivazian + * Copyright (C) 1999-2018 Tigran Aivazian * From fs/minix, Copyright (C) 1991, 1992 Linus Torvalds. * * Made endianness-clean by Andrew Stribblehill , 2005. @@ -350,15 +350,20 @@ s->s_magic = BFS_MAGIC; - if (le32_to_cpu(bfs_sb->s_start) > le32_to_cpu(bfs_sb->s_end)) { + if (le32_to_cpu(bfs_sb->s_start) > le32_to_cpu(bfs_sb->s_end) || + le32_to_cpu(bfs_sb->s_start) < sizeof(struct bfs_super_block) + + sizeof(struct bfs_dirent)) { printf("Superblock is corrupted\n"); goto out1; } - info->si_lasti = (le32_to_cpu(bfs_sb->s_start) - BFS_BSIZE) / - sizeof(struct bfs_inode) + info->si_lasti = (le32_to_cpu(bfs_sb->s_start) - BFS_BSIZE) / sizeof(struct bfs_inode) + BFS_ROOT_INO - 1; - imap_len = (info->si_lasti / 8) + 1; + if (info->si_lasti > 513) { /* Hardcoded: BFS can have up to 512 maximum number of inodes */ + printf("Impossible number of inodes %lu\n", info->si_lasti); + goto out1; + } + imap_len = round_up((info->si_lasti) / 8, sizeof(unsigned long)) + sizeof(unsigned long); info->si_imap = kzalloc(imap_len, GFP_KERNEL); if (!info->si_imap) goto out1;