public inbox for linux-xfs@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH] xfsprogs: avoid array overflow in pf_batch_read()
@ 2013-08-30  3:55 Eric Sandeen
  2013-09-02 10:14 ` Dave Chinner
  2013-10-18 16:29 ` Rich Johnston
  0 siblings, 2 replies; 3+ messages in thread
From: Eric Sandeen @ 2013-08-30  3:55 UTC (permalink / raw)
  To: xfs-oss

The while loop in pf_batch_read, and the code preceeding it, is really...
quite a thing.  I'd love to rewrite it, but I haven't yet found
a particularly cleaner way.

It cleverly hides the fact that we might increment "num" past the
last index of bplist[] and then assign to it.  This corrupts memory.

Rather than major surgery for now, just go for the simple fix,
and break out of the loop if we've increased "num" past the
last index.

Signed-off-by: Eric Sandeen <sandeen@redhat.com>
---

diff --git a/repair/prefetch.c b/repair/prefetch.c
index 7529f5d..d3491da 100644
--- a/repair/prefetch.c
+++ b/repair/prefetch.c
@@ -429,6 +429,8 @@ pf_batch_read(
 			if (which != PF_META_ONLY ||
 			    !B_IS_INODE(XFS_BUF_PRIORITY(bplist[num])))
 				num++;
+			if (num == MAX_BUFS)
+				break;
 			bplist[num] = btree_lookup_next(args->io_queue, &fsbno);
 		}
 		if (!num)

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

^ permalink raw reply related	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-10-18 16:29 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-08-30  3:55 [PATCH] xfsprogs: avoid array overflow in pf_batch_read() Eric Sandeen
2013-09-02 10:14 ` Dave Chinner
2013-10-18 16:29 ` Rich Johnston

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox