]> git.ipfire.org Git - thirdparty/xfsprogs-dev.git/commitdiff
Fix a use-after-free bug in xfs_repair code for checking version 1
authorNathan Scott <nathans@sgi.com>
Tue, 14 May 2002 06:27:01 +0000 (06:27 +0000)
committerNathan Scott <nathans@sgi.com>
Tue, 14 May 2002 06:27:01 +0000 (06:27 +0000)
btree-format directories.  Found by libefence.a in conjunction with
the qa tests on <pgsize blocksize filesystems.

doc/CHANGES
repair/dir.c

index 8e901dea9a448bc93f5bf22b41eafa57af5e5ab9..30a9291a92780786a66c67bd17d33f7e52bfe952 100644 (file)
@@ -5,6 +5,8 @@
        - Fix bug in xfs_repair da_write() routine, which affects
          filesystems where the data blocksize != naming blocksize
          (see xfs_info output).
+       - Fix a use-after-free bug in xfs_repair code for checking
+         version 1 btree-format directories.
 
 xfsprogs-2.0.5 (02 May 2002)
        - size AGs so that they do not always start on the same 
index 7fd0d2c3cd1c18ab83028ab7c9aea056479b1b33..555e5e1fadf420f0f2b60717eb94023515d616e2 100644 (file)
@@ -1035,6 +1035,7 @@ verify_final_da_path(xfs_mount_t  *mp,
                const int               p_level)
 {
        xfs_da_intnode_t        *node;
+       xfs_dahash_t            hashval;
        int                     bad = 0;
        int                     entry;
        int                     this_level = p_level + 1;
@@ -1117,6 +1118,12 @@ verify_final_da_path(xfs_mount_t *mp,
                }
        }
 
+       /*
+        * Note: squirrel hashval away _before_ releasing the
+        * buffer, preventing a use-after-free problem.
+        */
+       hashval = INT_GET(node->btree[entry].hashval, ARCH_CONVERT);
+
        /*
         * release/write buffer
         */
@@ -1140,11 +1147,10 @@ verify_final_da_path(xfs_mount_t        *mp,
                return(0);
        }
        /*
-        * set hashvalue to correctl reflect the now-validated
+        * set hashvalue to correctly reflect the now-validated
         * last entry in this block and continue upwards validation
         */
-       cursor->level[this_level].hashval =
-                       INT_GET(node->btree[entry].hashval, ARCH_CONVERT);
+       cursor->level[this_level].hashval = hashval;
        return(verify_final_da_path(mp, cursor, this_level));
 }