From 354545a7cf91d4f0a71ad1f594008a6c4fbad80d Mon Sep 17 00:00:00 2001
From: Artem Blagodarenko <artem.blagodarenko@gmail.com>
Date: Sat, 4 Nov 2017 20:22:18 +0300
Subject: [PATCH] e2fsck: fix access after free for dx_db structure

dx_db structure is freed after fixing of PR_2_HTREE_BAD_ROOT
problem. Next code block use this structure to unerstand if leaf
is beeng processed.

If dx_db is freed, then root block is being processed and if_leaf
need to be set to 0.

Signed-off-by: Artem Blagodarenko <artem.blagodarenko@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
---
 e2fsck/pass2.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/e2fsck/pass2.c b/e2fsck/pass2.c
index 7190c97..d931a87 100644
--- a/e2fsck/pass2.c
+++ b/e2fsck/pass2.c
@@ -1062,7 +1062,7 @@ inline_read_fail:
 			    fix_problem(ctx, PR_2_HTREE_BAD_ROOT, &cd->pctx)) {
 				clear_htree(ctx, ino);
 				dx_dir->numblocks = 0;
-				dx_db = 0;
+				dx_db = NULL;
 			}
 			dx_dir->hashversion = root->hash_version;
 			if ((dx_dir->hashversion <= EXT2_HASH_TEA) &&
@@ -1074,9 +1074,10 @@ inline_read_fail:
 			   (ext2fs_dirent_name_len(dirent) == 0) &&
 			   (ext2fs_le16_to_cpu(limit->limit) ==
 			    ((fs->blocksize - (8 + dx_csum_size)) /
-			     sizeof(struct ext2_dx_entry))))
+			     sizeof(struct ext2_dx_entry)))) {
 			dx_db->type = DX_DIRBLOCK_NODE;
-		is_leaf = (dx_db->type == DX_DIRBLOCK_LEAF);
+		}
+		is_leaf = dx_db ? (dx_db->type == DX_DIRBLOCK_LEAF) : 0;
 	}
 out_htree:
 
-- 
1.8.3.1