INN commit: trunk/storage/tradindexed (tdx-group.c)
INN Commit
rra at isc.org
Thu May 14 13:25:42 UTC 2015
Date: Thursday, May 14, 2015 @ 06:25:42
Author: iulius
Revision: 9859
Correct remap check in tradindexed lookup
The check was off by one; and when it happened, it invalidated the
'parent' pointer, causing a use-after-munmap (or use-after-free)
condition.
Thanks to Richard Kettlewell for the bug report.
Modified:
trunk/storage/tradindexed/tdx-group.c
-------------+
tdx-group.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
Modified: tdx-group.c
===================================================================
--- tdx-group.c 2015-05-14 13:21:06 UTC (rev 9858)
+++ tdx-group.c 2015-05-14 13:25:42 UTC (rev 9859)
@@ -359,7 +359,7 @@
their next entry is entry 0. We don't want to leave things in this
state (particularly if this was the first expansion of the index file,
in which case entry 0 points to entry 0 and our walking functions may
- go into infinite loops. Undo the file expansion. */
+ go into infinite loops). Undo the file expansion. */
if (!index_map(index)) {
index->count -= 1024;
if (ftruncate(index->fd, index_file_size(index->count)) < 0) {
@@ -558,11 +558,20 @@
parent = &index->header->hash[index_bucket(hash)].recno;
current = *parent;
- while (current >= 0 && current < index->count) {
+ while (current >= 0) {
struct group_entry *entry;
- if (current > index->count && !index_maybe_remap(index, current))
- return -1;
+ if (current >= index->count) {
+ if (!index_maybe_remap(index, current)) {
+ return -1;
+ }
+ parent = &index->header->hash[index_bucket(hash)].recno;
+ current = *parent;
+ if (current < 0 || current >= index->count) {
+ syswarn("tradindexed: entry %ld out of range", current);
+ return -1;
+ }
+ }
entry = &index->entries[current];
if (entry->deleted == 0)
if (memcmp(&hash, &entry->hash, sizeof(hash)) == 0) {
More information about the inn-committers
mailing list