yaffs Fix scan problem for corrupted tags

Check that the tags are within reasonable bounds. Without this, subsequent
checks can fail causing a mount failure.

Signed-off-by: Charles Manning <cdhmanning@gmail.com>

diff --git a/yaffs_guts.h b/yaffs_guts.h
index ca18503d5ae29de13e50b88ec728a20d7314a867..c6e49c4bae75b9f0268e3bad59c71811350fdd43 100644 (file)
--- a/yaffs_guts.h
+++ b/yaffs_guts.h
@@ -52,7 +52,6 @@
 
 #define YAFFS_MAX_CHUNK_ID             0x000FFFFF
 
-#define YAFFS_UNUSED_OBJECT_ID         0x0003FFFF
 
 #define YAFFS_ALLOCATION_NOBJECTS      100
 #define YAFFS_ALLOCATION_NTNODES       100
@@ -62,6 +61,7 @@
 
 
 #define YAFFS_OBJECT_SPACE             0x40000
+#define YAFFS_MAX_OBJECT_ID            (YAFFS_OBJECT_SPACE -1)
 
 #define YAFFS_CHECKPOINT_VERSION       4
 

diff --git a/yaffs_yaffs2.c b/yaffs_yaffs2.c
index 40d9771cdf5019dbe90b41c07d2d1c1d9a01ddd4..90646fd37ae2f5b44160d9aea964ec72ae0f579a 100644 (file)
--- a/yaffs_yaffs2.c
+++ b/yaffs_yaffs2.c
@@ -1130,6 +1130,15 @@ int yaffs2_ScanBackwards(yaffs_Device *dev)
 
                                  dev->nFreeChunks++;
 
+                       } else if (tags.objectId > YAFFS_MAX_OBJECT_ID ||
+                               tags.chunkId > YAFFS_MAX_CHUNK_ID ||
+                               (tags.chunkId > 0 && tags.byteCount > dev->nDataBytesPerChunk)) {
+                               T(YAFFS_TRACE_SCAN,
+                                 (TSTR("Chunk (%d:%d) with bad tags:obj = %d, chunkId = %d, byteCount = %d, ignored"TENDSTR),
+                                 blk, c,tags.objectId, tags.chunkId, tags.byteCount));
+
+                                 dev->nFreeChunks++;
+
                        } else if (tags.chunkId > 0) {
                                /* chunkId > 0 so it is a data chunk... */
                                unsigned int endpos;