[PATCH] xfs_repair: catch bad depth in traverse_int_dir2block

[Eric Sandeen]

A bad on-disk tree depth in traverse_int_dir2block() can
later cause a segfault when it's used as an array index in
this function; if we get something beyond the max depth,
just error out and the dir will get rebuilt.

Reported-by: Richard Kolkovich <richard at intrameta.com>
Signed-off-by: Eric Sandeen <sandeen at sandeen.net>
---

diff --git a/repair/dir2.c b/repair/dir2.c
index 9575fb1..2723e3b 100644
--- a/repair/dir2.c
+++ b/repair/dir2.c
@@ -339,9 +339,17 @@ traverse_int_dir2block(xfs_mount_t	*mp,
 		/*
 		 * maintain level counter
 		 */
-		if (i == -1)
+		if (i == -1) {
 			i = da_cursor->active = be16_to_cpu(node->hdr.level);
-		else  {
+			if (i >= XFS_DA_NODE_MAXDEPTH) {
+				do_warn(_("bad header depth for directory "
+					  "inode %llu\n"),
+					da_cursor->ino);
+				da_brelse(bp);
+				i = -1;
+				goto error_out;
+			}
+		} else {
 			if (be16_to_cpu(node->hdr.level) == i - 1)  {
 				i--;
 			} else  {