From: Theodore Ts'o <tytso@mit.edu>
Date: Sun, 22 Oct 2006 03:27:03 +0000 (-0400)
Subject: Fix potential e2fsck -n crash
X-Git-Tag: E2FSPROGS-1_40-WIP-1114~28
X-Git-Url: https://git.whamcloud.com/?a=commitdiff_plain;h=977ac8731bf3bd934421dd8107e77325ec7e6de7;p=tools%2Fe2fsprogs.git

Fix potential e2fsck -n crash

Don't core dump if there is a corrupt htree interior node.  If the block
number is larger than the number of blocks in the directory, don't write
past the end of malloc'ed memory.

Addresses SourceForge Bug: #1512778

Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
---

diff --git a/e2fsck/ChangeLog b/e2fsck/ChangeLog
index 5f4d6e2..6b03532 100644
--- a/e2fsck/ChangeLog
+++ b/e2fsck/ChangeLog
@@ -1,3 +1,11 @@
+2006-10-21  Theodore Tso  <tytso@mit.edu>
+
+	* pass2.c (parse_int_node): Don't core dump if there is a corrupt
+		htree interior node.  If the block number is larger than
+		the number of blocks in the directory, don't write past
+		the end of malloc'ed memory.  (Addresses SourceForge Bug:
+		#1512778)
+
 2006-10-02  Theodore Tso  <tytso@mit.edu>
 
 	* e2fsck.conf.5.in: Minor correction to man page.
diff --git a/e2fsck/pass2.c b/e2fsck/pass2.c
index a4db03f..e47e950 100644
--- a/e2fsck/pass2.c
+++ b/e2fsck/pass2.c
@@ -587,11 +587,12 @@ static void parse_int_node(ext2_filsys fs,
 #endif
 		blk = ext2fs_le32_to_cpu(ent[i].block) & 0x0ffffff;
 		/* Check to make sure the block is valid */
-		if (blk > (blk_t) dx_dir->numblocks) {
+		if (blk >= (blk_t) dx_dir->numblocks) {
 			cd->pctx.blk = blk;
 			if (fix_problem(cd->ctx, PR_2_HTREE_BADBLK,
 					&cd->pctx))
 				goto clear_and_exit;
+			continue;
 		}
 		if (hash < prev_hash &&
 		    fix_problem(cd->ctx, PR_2_HTREE_HASH_ORDER, &cd->pctx))