Fix potential e2fsck -n crash

Don't core dump if there is a corrupt htree interior node.  If the block
number is larger than the number of blocks in the directory, don't write
past the end of malloc'ed memory.

Addresses SourceForge Bug: #1512778

Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>

diff --git a/e2fsck/ChangeLog b/e2fsck/ChangeLog
index 5f4d6e27069ed184c177bb1dad394fcf4a5d8939..6b035322a9806f508e77caa3ba1e68aead534fac 100644 (file)
--- a/e2fsck/ChangeLog
+++ b/e2fsck/ChangeLog
@@ -1,3 +1,11 @@
+2006-10-21  Theodore Tso  <tytso@mit.edu>
+
+       * pass2.c (parse_int_node): Don't core dump if there is a corrupt
+               htree interior node.  If the block number is larger than
+               the number of blocks in the directory, don't write past
+               the end of malloc'ed memory.  (Addresses SourceForge Bug:
+               #1512778)
+
 2006-10-02  Theodore Tso  <tytso@mit.edu>
 
        * e2fsck.conf.5.in: Minor correction to man page.

diff --git a/e2fsck/pass2.c b/e2fsck/pass2.c
index a4db03fd609e8edc8f0e7baa265429dad60bc642..e47e9500a2b86bb2d8b11efc97dc617717a077d5 100644 (file)
--- a/e2fsck/pass2.c
+++ b/e2fsck/pass2.c
@@ -587,11 +587,12 @@ static void parse_int_node(ext2_filsys fs,
 #endif
                blk = ext2fs_le32_to_cpu(ent[i].block) & 0x0ffffff;
                /* Check to make sure the block is valid */
-               if (blk > (blk_t) dx_dir->numblocks) {
+               if (blk >= (blk_t) dx_dir->numblocks) {
                        cd->pctx.blk = blk;
                        if (fix_problem(cd->ctx, PR_2_HTREE_BADBLK,
                                        &cd->pctx))
                                goto clear_and_exit;
+                       continue;
                }
                if (hash < prev_hash &&
                    fix_problem(cd->ctx, PR_2_HTREE_HASH_ORDER, &cd->pctx))