From 802b6499bdc5547003438cfa0d70902639f89338 Mon Sep 17 00:00:00 2001
From: Kinglong Mee <kinglongmee@gmail.com>
Date: Wed, 15 Mar 2017 21:12:10 +0800
Subject: [PATCH] fsck.f2fs: sanity check of crc_offset from raw checkpoint

The crc_offset towards or beyond the end of block is wrong,
sanity check it.

Signed-off-by: Kinglong Mee <kinglongmee@gmail.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
---
 fsck/mount.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fsck/mount.c b/fsck/mount.c
index 5008437..6553581 100644
--- a/fsck/mount.c
+++ b/fsck/mount.c
@@ -544,7 +544,7 @@ void *validate_checkpoint(struct f2fs_sb_info *sbi, block_t cp_addr,
 
 	cp = (struct f2fs_checkpoint *)cp_page_1;
 	crc_offset = get_cp(checksum_offset);
-	if (crc_offset >= blk_size)
+	if (crc_offset > (blk_size - sizeof(__le32)))
 		goto invalid_cp1;
 
 	crc = le32_to_cpu(*(__le32 *)((unsigned char *)cp + crc_offset));
@@ -562,7 +562,7 @@ void *validate_checkpoint(struct f2fs_sb_info *sbi, block_t cp_addr,
 
 	cp = (struct f2fs_checkpoint *)cp_page_2;
 	crc_offset = get_cp(checksum_offset);
-	if (crc_offset >= blk_size)
+	if (crc_offset > (blk_size - sizeof(__le32)))
 		goto invalid_cp2;
 
 	crc = le32_to_cpu(*(__le32 *)((unsigned char *)cp + crc_offset));
-- 
2.7.4