diff mbox

[e2fsprogs] e2fsck: fix segmentation fault when block size is greater than 8192

Message ID 4948BF24.3040601@cn.fujitsu.com
State Superseded, archived
Headers show

Commit Message

Miao Xie Dec. 17, 2008, 8:58 a.m. UTC 
When I did fsck a filesystem with large blocksize(greater than 8192),
segmentation fault occured. The cause is the size of b_data array that is
defined as a fixed size in buffer_head structure.
  (File: e2fsck/jfs_user.h)
  struct buffer_head {
	char		b_data[8192];
	e2fsck_t	b_ctx;
	io_channel	b_io;
	int		b_size;
	blk_t		b_blocknr;
	int		b_dirty;
	int		b_uptodate;
	int		b_err;
  };

It is unreasonable, because if the blocksize is greater than 8192, b_data will
overflow and the other variable would be changed, then if we touch those
variable, segmentation fault occurs.

This patch fixes this bug.

Signed-off-by: Miao Xie <miaox@cn.fujitsu.com>

---
 e2fsck/jfs_user.h |    2 +-
 e2fsck/journal.c  |    8 ++++++++
 2 files changed, 9 insertions(+), 1 deletions(-)
diff mbox

Patch

diff --git a/e2fsck/jfs_user.h b/e2fsck/jfs_user.h
index 0e4f951..f042218 100644
--- a/e2fsck/jfs_user.h
+++ b/e2fsck/jfs_user.h
@@ -15,7 +15,7 @@ 
 #include "e2fsck.h"
 
 struct buffer_head {
-	char		b_data[8192];
+	char *		b_data;
 	e2fsck_t	b_ctx;
 	io_channel 	b_io;
 	int	 	b_size;
diff --git a/e2fsck/journal.c b/e2fsck/journal.c
index 10f5095..ca7a4c3 100644
--- a/e2fsck/journal.c
+++ b/e2fsck/journal.c
@@ -73,6 +73,12 @@  struct buffer_head *getblk(kdev_t kdev, blk_t blocknr, int blocksize)
 	if (!bh)
 		return NULL;
 
+	bh->b_data = e2fsck_allocate_memory(kdev->k_ctx, blocksize,
+						"block buffer b_data");
+	if (!bh->b_data) {
+		ext2fs_free_mem(&bh);
+		return NULL;
+	}
 #ifdef CONFIG_JBD_DEBUG
 	if (journal_enable_debug >= 3)
 		bh_count++;
@@ -163,6 +169,8 @@  void brelse(struct buffer_head *bh)
 		ll_rw_block(WRITE, 1, &bh);
 	jfs_debug(3, "freeing block %lu/%p (total %d)\n",
 		  (unsigned long) bh->b_blocknr, (void *) bh, --bh_count);
+	if (bh->b_data)
+		ext2fs_free_mem(&bh->b_data);
 	ext2fs_free_mem(&bh);
 }