From cdd1bae4032619d3d3acec0d48c32955e3235d1e Mon Sep 17 00:00:00 2001
From: David Sterba <dsterba@suse.com>
Date: Thu, 17 Mar 2016 11:41:18 +0100
Subject: btrfs-progs: subvol sync: fix memory corruption, undersized array

The subvol sync command crashed randomly at the end with

*** glibc detected *** btrfs: double free or corruption (out): 0x00000000006ab040 ***

This is caused by running out of the ids array in case there are more
than 128 subvolumes. The array is increased in steps but does not
account the size of the item, so there was room for 1024 / 8 = 128
subvolume ids.

Fixes: c9f885ec8963 ("btrfs-progs: subvol: let sync check only current deletions")
Signed-off-by: David Sterba <dsterba@suse.com>
---
 cmds-subvolume.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'cmds-subvolume.c')

diff --git a/cmds-subvolume.c b/cmds-subvolume.c
index 02e1dec1..32caaa5d 100644
--- a/cmds-subvolume.c
+++ b/cmds-subvolume.c
@@ -1204,7 +1204,8 @@ static int enumerate_dead_subvols(int fd, u64 **ids)
 					u64 *newids;
 
 					count += SUBVOL_ID_BATCH;
-					newids = (u64*)realloc(*ids, count);
+					newids = (u64*)realloc(*ids,
+							count * sizeof(u64));
 					if (!newids)
 						return -ENOMEM;
 					*ids = newids;
-- 
cgit v1.2.3