In ext2fs_expand_extra_isize, we size buffer using 'size' but then
do the memcpy with the rounded-up size, which can overflow the buffer.
With MALLOC_CHECK_=2, I see:
Error in `../e2fsck/e2fsck': free(): invalid pointer: <addr>
Change-Id: I31be58de12d4d50646c7aa96959de0efc5c279c3
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Reviewed-on: https://review.whamcloud.com/29975
Reviewed-by: Andreas Dilger <andreas.dilger@intel.com>
Tested-by: Jenkins
Tested-by: Maloo <hpdd-maloo@intel.com>
size = entry->e_value_size;
entry_size = EXT2_EXT_ATTR_LEN(entry->e_name_len);
i.name_index = entry->e_name_index;
- error = ext2fs_get_mem(size, &buffer);
+ error = ext2fs_get_mem(EXT2_EXT_ATTR_SIZE(size), &buffer);
if (error)
goto cleanup;
error = ext2fs_get_mem(entry->e_name_len + 1, &b_entry_name);