xfs_repair: fix use-after-free in verify_final_dir2_path

Way back in 2002, commit 948ce18 fixed a potential use-after-free
in verify_final_da_path, but the same fix was not applied to
verify_final_dir2_path; apply it now.

Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>

diff --git a/repair/dir2.c b/repair/dir2.c
index 44367c6aa8d6d5905bf59afd4b50c0e142db3293..898b27e80b88df76cd2bcdd314d74fbf85947800 100644 (file)
--- a/repair/dir2.c
+++ b/repair/dir2.c
@@ -330,6 +330,7 @@ verify_final_dir2_path(xfs_mount_t  *mp,
                const int               p_level)
 {
        xfs_da_intnode_t        *node;
+       xfs_dahash_t            hashval;
        int                     bad = 0;
        int                     entry;
        int                     this_level = p_level + 1;
@@ -408,6 +409,12 @@ _("would correct bad hashval in non-leaf dir block\n"
                }
        }
 
+       /*
+        * Note: squirrel hashval away _before_ releasing the
+        * buffer, preventing a use-after-free problem.
+        */
+       hashval = be32_to_cpu(btree[entry].hashval);
+
        /*
         * release/write buffer
         */
@@ -430,7 +437,7 @@ _("would correct bad hashval in non-leaf dir block\n"
         * set hashvalue to correctl reflect the now-validated
         * last entry in this block and continue upwards validation
         */
-       cursor->level[this_level].hashval = be32_to_cpu(btree[entry].hashval);
+       cursor->level[this_level].hashval = hashval;
 
        return(verify_final_dir2_path(mp, cursor, this_level));
 }