DEVEL15-dafs-savestatefe-avoid-overflow-20070902

The problem is that cb_stateSaveFE() overflows an iovec array
on its stack. When it returns, the PC is loaded with garbage and the
process crashes.

(cherry picked from commit edaa34d3a0ea74bffd886ec40e1c13af7c38a4af)

diff --git a/src/viced/callback.c b/src/viced/callback.c
index 0a8075a8021f6b2c738e3e5e0f6239d2ad5cce04..ebb2c8660d5e06ee503b4c6c65595a62a00f577a 100644 (file)
--- a/src/viced/callback.c
+++ b/src/viced/callback.c
@@ -2352,8 +2352,8 @@ cb_stateSaveFE(struct fs_dump_state * state, struct FileEntry * fe)
            goto done;
        }
        cbdsk[idx].index = cbi;
-       iov[idx].iov_base = (char *)&cbdsk[idx];
-       len += iov[idx].iov_len = sizeof(struct CBDiskEntry);
+       iov[iovcnt].iov_base = (char *)&cbdsk[idx];
+       len += iov[iovcnt].iov_len = sizeof(struct CBDiskEntry);
        iovcnt++;
        if ((iovcnt == 16) || (!cb->cnext)) {
            if (fs_stateWriteV(state, iov, iovcnt)) {