| To: | xfs-oss <xfs@xxxxxxxxxxx> |
|---|---|
| Subject: | [PATCH] xfsprogs: avoid array overflow in pf_batch_read() |
| From: | Eric Sandeen <sandeen@xxxxxxxxxx> |
| Date: | Thu, 29 Aug 2013 22:55:16 -0500 |
| Delivered-to: | xfs@xxxxxxxxxxx |
| User-agent: | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 |
The while loop in pf_batch_read, and the code preceeding it, is really...
quite a thing. I'd love to rewrite it, but I haven't yet found
a particularly cleaner way.
It cleverly hides the fact that we might increment "num" past the
last index of bplist[] and then assign to it. This corrupts memory.
Rather than major surgery for now, just go for the simple fix,
and break out of the loop if we've increased "num" past the
last index.
Signed-off-by: Eric Sandeen <sandeen@xxxxxxxxxx>
---
diff --git a/repair/prefetch.c b/repair/prefetch.c
index 7529f5d..d3491da 100644
--- a/repair/prefetch.c
+++ b/repair/prefetch.c
@@ -429,6 +429,8 @@ pf_batch_read(
if (which != PF_META_ONLY ||
!B_IS_INODE(XFS_BUF_PRIORITY(bplist[num])))
num++;
+ if (num == MAX_BUFS)
+ break;
bplist[num] = btree_lookup_next(args->io_queue, &fsbno);
}
if (!num)
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: higher agcount on LVM2 thinp volumes, Dave Chinner |
|---|---|
| Next by Date: | [PATCH 1/2] xfs: dtype changed xfs_dir2_sfe_put_ino to xfs_dir3_sfe_put_ino, Dave Chinner |
| Previous by Thread: | [PATCH 0/2] xfs: defrag support for v5 filesystems, Dave Chinner |
| Next by Thread: | [PATCH 0/2] xfs: minor cleanups for userspace sanity, Dave Chinner |
| Indexes: | [Date] [Thread] [Top] [All Lists] |