From 3cc93dda3f8fcbfa82ca3cdf0283f894487f1d6d Mon Sep 17 00:00:00 2001
From: "Darrick J. Wong" <darrick.wong@oracle.com>
Date: Wed, 23 May 2018 16:30:48 -0500
Subject: [PATCH] xfs_repair: don't crash if da btree is corrupt

In the recursive verify_da_path call chain, we decide to examine the
next upper level if the current entry points past the end of the
entries.  However, we don't check for a node with zero entries (which
should be impossible) so we run right off the end of the da cursor's
level array and crash.  Found by fuzzing hdr.count in xfs/402.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
---
 repair/da_util.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/repair/da_util.c b/repair/da_util.c
index a65652fa9..bca4060d1 100644
--- a/repair/da_util.c
+++ b/repair/da_util.c
@@ -526,6 +526,10 @@ verify_da_path(
 	else
 		geo = mp->m_attr_geo;
 
+	/* No buffer at this level, tree is corrupt. */
+	if (cursor->level[this_level].bp == NULL)
+		return 1;
+
 	/*
 	 * index is currently set to point to the entry that
 	 * should be processed now in this level.
@@ -535,6 +539,10 @@ verify_da_path(
 	btree = M_DIROPS(mp)->node_tree_p(node);
 	M_DIROPS(mp)->node_hdr_from_disk(&nodehdr, node);
 
+	/* No entries in this node?  Tree is corrupt. */
+	if (nodehdr.count == 0)
+		return 1;
+
 	/*
 	 * if this block is out of entries, validate this
 	 * block and move on to the next block.
-- 
2.47.2