summaryrefslogtreecommitdiff
path: root/cmds-subvolume.c
diff options
context:
space:
mode:
authorDavid Sterba <dsterba@suse.com>2016-03-17 11:41:18 +0100
committerDavid Sterba <dsterba@suse.com>2016-03-17 11:41:18 +0100
commitcdd1bae4032619d3d3acec0d48c32955e3235d1e (patch)
tree97c18c1698bda0b11f1b938df03c950b57b87883 /cmds-subvolume.c
parentaa9c695f65349c68c076c7b83959731500f90612 (diff)
btrfs-progs: subvol sync: fix memory corruption, undersized array
The subvol sync command crashed randomly at the end with *** glibc detected *** btrfs: double free or corruption (out): 0x00000000006ab040 *** This is caused by running out of the ids array in case there are more than 128 subvolumes. The array is increased in steps but does not account the size of the item, so there was room for 1024 / 8 = 128 subvolume ids. Fixes: c9f885ec8963 ("btrfs-progs: subvol: let sync check only current deletions") Signed-off-by: David Sterba <dsterba@suse.com>
Diffstat (limited to 'cmds-subvolume.c')
-rw-r--r--cmds-subvolume.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/cmds-subvolume.c b/cmds-subvolume.c
index 02e1dec..32caaa5 100644
--- a/cmds-subvolume.c
+++ b/cmds-subvolume.c
@@ -1204,7 +1204,8 @@ static int enumerate_dead_subvols(int fd, u64 **ids)
u64 *newids;
count += SUBVOL_ID_BATCH;
- newids = (u64*)realloc(*ids, count);
+ newids = (u64*)realloc(*ids,
+ count * sizeof(u64));
if (!newids)
return -ENOMEM;
*ids = newids;