diff --git a/fs/hpfs/ea.c b/fs/hpfs/ea.c
index 102ba18e561f..7847e01c0c1f 100644
--- a/fs/hpfs/ea.c
+++ b/fs/hpfs/ea.c
@@ -135,7 +135,14 @@ char *hpfs_get_ea(struct super_block *s, struct fnode *fnode, char *key, int *si
 	secno a;
 	struct extended_attribute *ea;
 	struct extended_attribute *ea_end = fnode_end_ea(fnode);
-	for (ea = fnode_ea(fnode); ea < ea_end; ea = next_ea(ea))
+
+	for (ea = fnode_ea(fnode); (void *)ea + sizeof(*ea) <= (void *)ea_end;) {
+		int entry_size = sizeof(*ea) + ea->namelen + ea_valuelen(ea) + 1;
+
+		/* Stop if next EA would overflow */
+		if ((void *)ea + entry_size > (void *)ea_end)
+			break;
+
 		if (!strcmp(ea->name, key)) {
 			if (ea_indirect(ea))
 				return get_indirect_ea(s, ea_in_anode(ea), ea_sec(ea), *size = ea_len(ea));
@@ -147,6 +154,10 @@ char *hpfs_get_ea(struct super_block *s, struct fnode *fnode, char *key, int *si
 			ret[ea_valuelen(ea)] = 0;
 			return ret;
 		}
+
+		ea = (void *)ea + entry_size;
+	}
+
 	a = le32_to_cpu(fnode->ea_secno);
 	len = le32_to_cpu(fnode->ea_size_l);
 	ano = fnode_in_anode(fnode);