From af7293fe8a6d7b9af70f90b1ccdc91a0e2fec7f8 Mon Sep 17 00:00:00 2001
From: Jan Kara <jack@suse.cz>
Date: Mon, 30 Mar 2020 11:09:32 +0200
Subject: [PATCH] ext2fs: fix off-by-one in dx_grow_tree()

There is an off-by-one error in dx_grow_tree() when checking whether we
can add another level to the tree. Thus we can grow tree too much
leading to possible crashes in the library or corrupted filesystem. Fix
the bug.

Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Lukas Czerner <lczerner@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---
 lib/ext2fs/link.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ext2fs/link.c b/lib/ext2fs/link.c
index 7b5bb02..469eea8 100644
--- a/lib/ext2fs/link.c
+++ b/lib/ext2fs/link.c
@@ -473,7 +473,7 @@ static errcode_t dx_grow_tree(ext2_filsys fs, ext2_ino_t dir,
 		    ext2fs_le16_to_cpu(info->frames[i].head->limit))
 			break;
 	/* Need to grow tree depth? */
-	if (i < 0 && info->levels > ext2_dir_htree_level(fs))
+	if (i < 0 && info->levels >= ext2_dir_htree_level(fs))
 		return EXT2_ET_DIR_NO_SPACE;
 	lblk = size / fs->blocksize;
 	size += fs->blocksize;
-- 
1.8.3.1