Re: [PATCH 1/3] libext2fs: ext2fs_node_split

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Theodore Tso <tytso@mit.edu>
To: Eric Sandeen <sandeen@redhat.com>
Cc: ext4 development <linux-ext4@vger.kernel.org>
Subject: Re: [PATCH 1/3] libext2fs: ext2fs_node_split
Date: Mon, 2 Jun 2008 02:53:54 -0400	[thread overview]
Message-ID: <20080602065354.GA15419@mit.edu> (raw)
In-Reply-To: <20080527042218.GD7515@mit.edu>

FYI, while doing some more testing, I found another bug in this patch.
It doesn't reallocate and update the handle->path array, with the net
result future operations will result in a core dump as we overrun the
handle->path array and fetch an illegal pointer from handle->path[n].buf.

The fix follows....

						- Ted

diff --git a/lib/ext2fs/extent.c b/lib/ext2fs/extent.c
index 29f6cdd..d421a4b 100644
--- a/lib/ext2fs/extent.c
+++ b/lib/ext2fs/extent.c
@@ -772,7 +772,7 @@ static errcode_t extent_node_split(ext2_extent_handle_t handle, int flags)
 	int				orig_height;
 	char				*block_buf = NULL;
 	struct ext2fs_extent		extent;
-	struct extent_path		*path;
+	struct extent_path		*path, *newpath = 0;
 	struct ext3_extent		*ex;
 	struct ext3_extent_header	*eh, *neweh;
 	char				*cp;
@@ -838,6 +838,13 @@ static errcode_t extent_node_split(ext2_extent_handle_t handle, int flags)
 	if (handle->level == 0) {
 		new_root = 1;
 		tocopy = ext2fs_le16_to_cpu(eh->eh_entries);
+		retval = ext2fs_get_mem(((handle->max_depth+2) *
+					 sizeof(struct extent_path)),
+					&newpath);
+		if (retval)
+			goto done;
+		memset(newpath, 0,
+		       ((handle->max_depth+2) * sizeof(struct extent_path)));
 	} else {
 		tocopy = ext2fs_le16_to_cpu(eh->eh_entries) / 2;
 	}
@@ -873,7 +880,7 @@ static errcode_t extent_node_split(ext2_extent_handle_t handle, int flags)
 	if (retval)
 		goto done;
 
-	dbg_printf("will copy to new node at block %llu\n", new_node_pblk);
+	dbg_printf("will copy to new node at block %lu\n", new_node_pblk);
 
 	/* Copy data into new block buffer */
 	/* First the header for the new block... */
@@ -902,6 +909,11 @@ static errcode_t extent_node_split(ext2_extent_handle_t handle, int flags)
 
 	/* current path now has fewer active entries, we copied some out */
 	if (handle->level == 0) {
+		memcpy(newpath, path,
+		       sizeof(struct extent_path) * (handle->max_depth+1));
+		handle->path = newpath;
+		newpath = path;
+		path = handle->path;
 		path->entries = 1;
 		path->left = path->max_entries - 1;
 		handle->max_depth++;
@@ -962,6 +974,8 @@ static errcode_t extent_node_split(ext2_extent_handle_t handle, int flags)
 		goto done;
 
 done:
+	if (newpath)
+		ext2fs_free_mem(&newpath);
 	if (block_buf)
 		free(block_buf);

next prev parent reply	other threads:[~2008-06-02  6:54 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-05-20 15:11 [PATCH 0/3] e2fsprogs set_bmap & friends V2 Eric Sandeen
2008-05-20 15:14 ` [PATCH 1/3] libext2fs: ext2fs_node_split Eric Sandeen
2008-05-27  4:22   ` Theodore Tso
2008-06-02  6:53     ` Theodore Tso [this message]
2008-05-20 15:15 ` [PATCH 2/3] libext2fs: allow ext2fs_extent_insert to split if needed Eric Sandeen
2008-05-20 15:17 ` [PATCH 3/3] libext2fs: add ext2fs_extent_set_bmap Eric Sandeen
2008-05-27  5:20   ` Theodore Tso
     [not found] <1210875464-25552-1-git-send-email-sandeen@redhat.com>
2008-05-15 18:17 ` [PATCH 1/3] libext2fs: ext2fs_node_split Eric Sandeen
2008-05-17 22:52   ` Theodore Tso
2008-05-17 23:21     ` Eric Sandeen
2008-05-17 23:20   ` Theodore Tso

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:29f6cdd dfblob:d421a4b )
 OR (
bs:"Re: [PATCH 1/3] libext2fs: ext2fs_node_split" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080602065354.GA15419@mit.edu \
    --to=tytso@mit.edu \
    --cc=linux-ext4@vger.kernel.org \
    --cc=sandeen@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.