From patchwork Tue May 7 19:09:50 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 2536311 Return-Path: X-Original-To: patchwork-linux-btrfs@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork2.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork2.kernel.org (Postfix) with ESMTP id A22DADF215 for ; Tue, 7 May 2013 19:09:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755138Ab3EGTJy (ORCPT ); Tue, 7 May 2013 15:09:54 -0400 Received: from dkim2.fusionio.com ([66.114.96.54]:37309 "EHLO dkim2.fusionio.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753601Ab3EGTJx (ORCPT ); Tue, 7 May 2013 15:09:53 -0400 Received: from mx2.fusionio.com (unknown [10.101.1.160]) by dkim2.fusionio.com (Postfix) with ESMTP id 049A69A0694 for ; Tue, 7 May 2013 13:09:53 -0600 (MDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fusionio.com; s=default; t=1367953793; bh=xet2ytelxkkyav3nP+NgEiz3a8hL1q/TcZEh//Y0AXQ=; h=From:To:Subject:Date; b=kr9xccsNjqYn2Lqiaawz3Y4hNzMn+FPUoUT8Gc7OCThdWvwfNUNFnMvU/AHyYiw1x 32fkVcdROjeathZV8t8OpsJhc0jvJLf8Y0MF3YTqEU42OwdQCW/WRwEiSQb7lUgZWU Tuq2612wNGO7tofAwDtw/E8u/VEY9TUof9q1B3B0= X-ASG-Debug-ID: 1367953792-0421b5368454820001-6jHSXT Received: from mail1.int.fusionio.com (mail1.int.fusionio.com [10.101.1.21]) by mx2.fusionio.com with ESMTP id IshsE8PWW1wV8qff (version=TLSv1 cipher=AES128-SHA bits=128 verify=NO) for ; Tue, 07 May 2013 13:09:52 -0600 (MDT) X-Barracuda-Envelope-From: JBacik@fusionio.com Received: from localhost (76.182.72.146) by mail.fusionio.com (10.101.1.19) with Microsoft SMTP Server (TLS) id 8.3.83.0; Tue, 7 May 2013 13:09:51 -0600 From: Josef Bacik To: Subject: [PATCH] Btrfs-progs: sanity check the number of items in a leaf Date: Tue, 7 May 2013 15:09:50 -0400 X-ASG-Orig-Subj: [PATCH] Btrfs-progs: sanity check the number of items in a leaf Message-ID: <1367953790-23756-1-git-send-email-jbacik@fusionio.com> X-Mailer: git-send-email 1.7.7.6 MIME-Version: 1.0 X-Barracuda-Connect: mail1.int.fusionio.com[10.101.1.21] X-Barracuda-Start-Time: 1367953792 X-Barracuda-Encrypted: AES128-SHA X-Barracuda-URL: http://10.101.1.181:8000/cgi-mod/mark.cgi X-Virus-Scanned: by bsmtpd at fusionio.com X-Barracuda-Spam-Score: 0.00 X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=9.0 tests= X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.130288 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org I hit this while working on fsck, I got some weird corruption where the number of items was way higher than what would fit in a leaf, which would make things blow up. This fixes the problem by catching it and returning an error so we gracefully exit instead of segfaulting. Thanks, Signed-off-by: Josef Bacik --- ctree.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/ctree.c b/ctree.c index 16f4daa..851d14a 100644 --- a/ctree.c +++ b/ctree.c @@ -638,6 +638,12 @@ int btrfs_check_leaf(struct btrfs_root *root, struct btrfs_disk_key key; u32 nritems = btrfs_header_nritems(buf); + if (nritems == 0 || nritems * sizeof(struct btrfs_item) > buf->len) { + fprintf(stderr, "invalid number of items %llu\n", + (unsigned long long)buf->start); + goto fail; + } + if (btrfs_header_level(buf) != 0) { fprintf(stderr, "leaf is not a leaf %llu\n", (unsigned long long)btrfs_header_bytenr(buf));