From 29bc90d5d0233f3d2c1f7bbbbe94c05540397b17 Mon Sep 17 00:00:00 2001
From: Jeffrey Hutzelman <jhutz@cmu.edu>
Date: Mon, 3 Sep 2007 05:00:21 +0000
Subject: [PATCH] DEVEL15-dafs-savestatefe-avoid-overflow-20070902

The problem is that cb_stateSaveFE() overflows an iovec array
on its stack. When it returns, the PC is loaded with garbage and the
process crashes.


(cherry picked from commit edaa34d3a0ea74bffd886ec40e1c13af7c38a4af)
---
 src/viced/callback.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/viced/callback.c b/src/viced/callback.c
index 0a8075a80..ebb2c8660 100644
--- a/src/viced/callback.c
+++ b/src/viced/callback.c
@@ -2352,8 +2352,8 @@ cb_stateSaveFE(struct fs_dump_state * state, struct FileEntry * fe)
 	    goto done;
 	}
 	cbdsk[idx].index = cbi;
-	iov[idx].iov_base = (char *)&cbdsk[idx];
-	len += iov[idx].iov_len = sizeof(struct CBDiskEntry);
+	iov[iovcnt].iov_base = (char *)&cbdsk[idx];
+	len += iov[iovcnt].iov_len = sizeof(struct CBDiskEntry);
 	iovcnt++;
 	if ((iovcnt == 16) || (!cb->cnext)) {
 	    if (fs_stateWriteV(state, iov, iovcnt)) {
-- 
2.39.5