http://oss.sgi.com/bugzilla/show_bug.cgi?id=842
--- Comment #11 from Eric Sandeen <sandeen-xfs@xxxxxxxxxxx> 2009-07-28
17:36:25 CST ---
Just some notes to myself.
The loop in process_bmbt_reclist() is advancing well past the buffer which was
allocated; numrecs is very high:
#3 0x0000000000412ee0 in process_bmbt_reclist (rp=0x1cc4ff8, numrecs=46311,
extmapp=0x7fff241a8410) at frag.c:237
frag's scanfunc_bmap function needs some bounds checking on this as there is in
the scanfunc_bmap functions:
if (level == 0) {
if (be16_to_cpu(block->bb_numrecs) > mp->m_bmap_dmxr[0] || ...
and:
nrecs = be16_to_cpu(block->bb_numrecs);
if (level == 0) {
if (nrecs > mp->m_bmap_dmxr[0]) {
if (show_warnings)
print_warning("invalid numrecs (%u) in %s "
"block %u/%u", nrecs,
typtab[btype].name, agno, agbno);
and:
if (level == 0) {
if (numrecs > mp->m_bmap_dmxr[0] || (isroot == 0 && numrecs <
mp->m_bmap_dmnr[0])) {
do_warn(
_("inode 0x%llx bad # of bmap records (%u, min - %u, max - %u)\n"),
ino, numrecs, mp->m_bmap_dmnr[0],
mp->m_bmap_dmxr[0]);
return(1);
--
Configure bugmail: http://oss.sgi.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
|