Fix off-by-one error in fsck_ffs(8) chkrange() block-number check.
On an amd64-CURRENT machine with an i-node that refers to a block number that is one too large will cause a core dump, due to writing beyond the end of blockmap[] and corrupting the next heap block, which happens to contain a struct inoinfo in inphash[]. Note that valgrind catches the blockmap[] access. Reported by: Robert Morris PR: 271289 MFC after: 1 week Sponsored by: The FreeBSD Foundation
This commit is contained in:
parent
1985585233
commit
b3fe5d9322
|
@ -381,8 +381,8 @@ chkrange(ufs2_daddr_t blk, int cnt)
|
|||
{
|
||||
int c;
|
||||
|
||||
if (cnt <= 0 || blk <= 0 || blk > maxfsblock ||
|
||||
cnt - 1 > maxfsblock - blk) {
|
||||
if (cnt <= 0 || blk <= 0 || blk >= maxfsblock ||
|
||||
cnt > maxfsblock - blk) {
|
||||
if (debug)
|
||||
printf("out of range: blk %ld, offset %i, size %d\n",
|
||||
(long)blk, (int)fragnum(&sblock, blk), cnt);
|
||||
|
|
Loading…
Reference in New Issue
Block a user