Way back in 2002, commit 948ce18 fixed a potential use-after-free
in verify_final_da_path, but the same fix was not applied to
verify_final_dir2_path; apply it now.
Signed-off-by: Eric Sandeen <sandeen@xxxxxxxxxx>
Signed-off-by: Eric Sandeen <sandeen@xxxxxxxxxxx>
---
repair/dir2.c | 9 ++++++++-
1 files changed, 8 insertions(+), 1 deletions(-)
diff --git a/repair/dir2.c b/repair/dir2.c
index 44367c6..898b27e 100644
--- a/repair/dir2.c
+++ b/repair/dir2.c
@@ -330,6 +330,7 @@ verify_final_dir2_path(xfs_mount_t *mp,
const int p_level)
{
xfs_da_intnode_t *node;
+ xfs_dahash_t hashval;
int bad = 0;
int entry;
int this_level = p_level + 1;
@@ -409,6 +410,12 @@ _("would correct bad hashval in non-leaf dir block\n"
}
/*
+ * Note: squirrel hashval away _before_ releasing the
+ * buffer, preventing a use-after-free problem.
+ */
+ hashval = be32_to_cpu(btree[entry].hashval);
+
+ /*
* release/write buffer
*/
ASSERT(cursor->level[this_level].dirty == 0 ||
@@ -430,7 +437,7 @@ _("would correct bad hashval in non-leaf dir block\n"
* set hashvalue to correctl reflect the now-validated
* last entry in this block and continue upwards validation
*/
- cursor->level[this_level].hashval = be32_to_cpu(btree[entry].hashval);
+ cursor->level[this_level].hashval = hashval;
return(verify_final_dir2_path(mp, cursor, this_level));
}
--
1.7.1
|