diff options
| author | Kirk McKusick <mckusick@FreeBSD.org> | 2023-05-09 20:08:10 +0000 |
|---|---|---|
| committer | Kirk McKusick <mckusick@FreeBSD.org> | 2023-05-09 20:08:10 +0000 |
| commit | b3fe5d932264445cbf9a1c4eab01afb6179b499b (patch) | |
| tree | fe1d8350e90d73974e093cdd16bb0400c2eb2aa6 /sbin/fsck_ffs | |
| parent | 198558523361a654409b6d3f8d63c12ba3f72ae5 (diff) | |
| download | src-b3fe5d932264445cbf9a1c4eab01afb6179b499b.tar.gz src-b3fe5d932264445cbf9a1c4eab01afb6179b499b.zip | |
Fix off-by-one error in fsck_ffs(8) chkrange() block-number check.
On an amd64-CURRENT machine with an i-node that refers to a block
number that is one too large will cause a core dump, due to writing
beyond the end of blockmap[] and corrupting the next heap block,
which happens to contain a struct inoinfo in inphash[]. Note that
valgrind catches the blockmap[] access.
Reported by: Robert Morris
PR: 271289
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Diffstat (limited to 'sbin/fsck_ffs')
| -rw-r--r-- | sbin/fsck_ffs/inode.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sbin/fsck_ffs/inode.c b/sbin/fsck_ffs/inode.c index 04891447254e..00a60157138c 100644 --- a/sbin/fsck_ffs/inode.c +++ b/sbin/fsck_ffs/inode.c @@ -381,8 +381,8 @@ chkrange(ufs2_daddr_t blk, int cnt) { int c; - if (cnt <= 0 || blk <= 0 || blk > maxfsblock || - cnt - 1 > maxfsblock - blk) { + if (cnt <= 0 || blk <= 0 || blk >= maxfsblock || + cnt > maxfsblock - blk) { if (debug) printf("out of range: blk %ld, offset %i, size %d\n", (long)blk, (int)fragnum(&sblock, blk), cnt); |