From: Eric Sandeen <sandeen@sandeen.net>
Date: Mon, 8 Jun 2009 21:39:32 +0000 (-0500)
Subject: xfs_repair: catch bad depth in traverse_int_dir2block
X-Git-Tag: v3.0.3~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=28148f6;p=thirdparty%2Fxfsprogs-dev.git

xfs_repair: catch bad depth in traverse_int_dir2block

A bad on-disk tree depth in traverse_int_dir2block() can
later cause a segfault when it's used as an array index in
this function; if we get something beyond the max depth,
just error out and the dir will get rebuilt.

Reported-by: Richard Kolkovich <richard@intrameta.com>
Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
Reviewed-by: Christoph Hellwig <hch@lst.de>
---

diff --git a/repair/dir2.c b/repair/dir2.c
index 9575fb1c9..2723e3b92 100644
--- a/repair/dir2.c
+++ b/repair/dir2.c
@@ -339,9 +339,17 @@ traverse_int_dir2block(xfs_mount_t	*mp,
 		/*
 		 * maintain level counter
 		 */
-		if (i == -1)
+		if (i == -1) {
 			i = da_cursor->active = be16_to_cpu(node->hdr.level);
-		else  {
+			if (i >= XFS_DA_NODE_MAXDEPTH) {
+				do_warn(_("bad header depth for directory "
+					  "inode %llu\n"),
+					da_cursor->ino);
+				da_brelse(bp);
+				i = -1;
+				goto error_out;
+			}
+		} else {
 			if (be16_to_cpu(node->hdr.level) == i - 1)  {
 				i--;
 			} else  {