diff options
| author | David Sterba <dsterba@suse.com> | 2016-03-17 11:41:18 +0100 |
|---|---|---|
| committer | David Sterba <dsterba@suse.com> | 2016-03-17 11:41:18 +0100 |
| commit | cdd1bae4032619d3d3acec0d48c32955e3235d1e (patch) | |
| tree | 97c18c1698bda0b11f1b938df03c950b57b87883 /cmds-subvolume.c | |
| parent | aa9c695f65349c68c076c7b83959731500f90612 (diff) | |
btrfs-progs: subvol sync: fix memory corruption, undersized array
The subvol sync command crashed randomly at the end with
*** glibc detected *** btrfs: double free or corruption (out): 0x00000000006ab040 ***
This is caused by running out of the ids array in case there are more
than 128 subvolumes. The array is increased in steps but does not
account the size of the item, so there was room for 1024 / 8 = 128
subvolume ids.
Fixes: c9f885ec8963 ("btrfs-progs: subvol: let sync check only current deletions")
Signed-off-by: David Sterba <dsterba@suse.com>
Diffstat (limited to 'cmds-subvolume.c')
| -rw-r--r-- | cmds-subvolume.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/cmds-subvolume.c b/cmds-subvolume.c index 02e1dec1..32caaa5d 100644 --- a/cmds-subvolume.c +++ b/cmds-subvolume.c @@ -1204,7 +1204,8 @@ static int enumerate_dead_subvols(int fd, u64 **ids) u64 *newids; count += SUBVOL_ID_BATCH; - newids = (u64*)realloc(*ids, count); + newids = (u64*)realloc(*ids, + count * sizeof(u64)); if (!newids) return -ENOMEM; *ids = newids; |