Squashfs: fix corruption checks in squashfs_lookup()

The dir_count and size fields when read from disk are sanity
checked for correctness.  However, the sanity checks only check the
values are not greater than expected.  As dir_count and size were
incorrectly defined as signed ints, this can lead to corrupted values
appearing as negative which are not trapped.

Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>

diff --git a/fs/squashfs/namei.c b/fs/squashfs/namei.c
index 342a5aa5a0e474cf5cdbdd1ff16047fb558701c1..67cad77fefb4ac165bfd92fbba02db473a02e22e 100644 (file)
--- a/fs/squashfs/namei.c
+++ b/fs/squashfs/namei.c
@@ -147,7 +147,8 @@ static struct dentry *squashfs_lookup(struct inode *dir, struct dentry *dentry,
        struct squashfs_dir_entry *dire;
        u64 block = squashfs_i(dir)->start + msblk->directory_table;
        int offset = squashfs_i(dir)->offset;
-       int err, length, dir_count, size;
+       int err, length;
+       unsigned int dir_count, size;
 
        TRACE("Entered squashfs_lookup [%llx:%x]\n", block, offset);