From: Jeffrey Hutzelman <jhutz@cmu.edu>
Date: Mon, 3 Sep 2007 05:00:21 +0000 (+0000)
Subject: DEVEL15-dafs-savestatefe-avoid-overflow-20070902
X-Git-Tag: openafs-devel-1_5_25~31
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=29bc90d5d0233f3d2c1f7bbbbe94c05540397b17;p=packages%2Fo%2Fopenafs.git

DEVEL15-dafs-savestatefe-avoid-overflow-20070902


The problem is that cb_stateSaveFE() overflows an iovec array
on its stack. When it returns, the PC is loaded with garbage and the
process crashes.


(cherry picked from commit edaa34d3a0ea74bffd886ec40e1c13af7c38a4af)
---

diff --git a/src/viced/callback.c b/src/viced/callback.c
index 0a8075a80..ebb2c8660 100644
--- a/src/viced/callback.c
+++ b/src/viced/callback.c
@@ -2352,8 +2352,8 @@ cb_stateSaveFE(struct fs_dump_state * state, struct FileEntry * fe)
 	    goto done;
 	}
 	cbdsk[idx].index = cbi;
-	iov[idx].iov_base = (char *)&cbdsk[idx];
-	len += iov[idx].iov_len = sizeof(struct CBDiskEntry);
+	iov[iovcnt].iov_base = (char *)&cbdsk[idx];
+	len += iov[iovcnt].iov_len = sizeof(struct CBDiskEntry);
 	iovcnt++;
 	if ((iovcnt == 16) || (!cb->cnext)) {
 	    if (fs_stateWriteV(state, iov, iovcnt)) {