From: Li Zhong <zhong@linux.vnet.ibm.com>
Date: Mon, 12 Aug 2013 06:11:01 +0000 (+0000)
Subject: xfsprogs: fix Out-of-bounds access in repair/dinode.c
X-Git-Tag: v3.2.0-alpha1~61
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e7c05095f5baa9cd2e35a6de03d7dd9f51dd3910;p=thirdparty%2Fxfsprogs-dev.git

xfsprogs: fix Out-of-bounds access in repair/dinode.c

Following is reported by coverity in bug 1061528:

187                        __dirty_no_modify_ret(dirty);

CID 1061528 (#1 of 1): Out-of-bounds access (OVERRUN)53. overrun-buffer-arg: Overrunning array "dinoc->di_pad" of 6 bytes by passing it to a function which accesses it at byte offset 15 using argument "16UL".
188                        memset(dinoc->di_pad, 0, 16);

It seems that di_pad here should be di_pad2, as sekharan pointed out.

Signed-off-by: Li Zhong <zhong@linux.vnet.ibm.com>
Reviewed-by: Rich Johnston <rjohnston@sgi.com>
Signed-off-by: Rich Johnston <rjohnston@sgi.com>
---

diff --git a/repair/dinode.c b/repair/dinode.c
index a1261e6f4..b2b9a9501 100644
--- a/repair/dinode.c
+++ b/repair/dinode.c
@@ -183,9 +183,9 @@ clear_dinode_core(struct xfs_mount *mp, xfs_dinode_t *dinoc, xfs_ino_t ino_num)
 	}
 
 	for (i = 0; i < 16; i++) {
-		if (dinoc->di_pad[i] != 0) {
+		if (dinoc->di_pad2[i] != 0) {
 			__dirty_no_modify_ret(dirty);
-			memset(dinoc->di_pad, 0, 16);
+			memset(dinoc->di_pad2, 0, 16);
 			break;
 		}
 	}