projects / platform / upstream / btrfs-progs.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 35d0588)
btrfs-progs: image: catch zero length extents, avoid endless loop
authorDavid Sterba <dsterba@suse.com>
Mon, 3 Oct 2016 12:52:30 +0000 (14:52 +0200)
committerDavid Sterba <dsterba@suse.com>
Mon, 3 Oct 2016 13:07:24 +0000 (15:07 +0200)
If an extent is found to have length 0, we'd loop endlessly in
copy_from_extent_tree. Reproduced by fuzzed image
bko-166361-blocksize-zero.raw within test 002-simple-image .

Signed-off-by: David Sterba <dsterba@suse.com>
btrfs-image.c patch | blob | history

diff --git a/btrfs-image.c b/btrfs-image.c
index 6bb8d47..bbe4f63 100644 (file)
--- a/btrfs-image.c
+++ b/btrfs-image.c
@@ -1264,10 +1264,18 @@ static int copy_from_extent_tree(struct metadump_struct *metadump,
                }
 
                bytenr = key.objectid;
-               if (key.type == BTRFS_METADATA_ITEM_KEY)
+               if (key.type == BTRFS_METADATA_ITEM_KEY) {
                        num_bytes = extent_root->nodesize;
-               else
+               } else {
                        num_bytes = key.offset;
+               }
+
+               if (num_bytes == 0) {
+                       error("extent length 0 at bytenr %llu key type %d",
+                                       (unsigned long long)bytenr, key.type);
+                       ret = -EIO;
+                       break;
+               }
 
                if (btrfs_item_size_nr(leaf, path->slots[0]) > sizeof(*ei)) {
                        ei = btrfs_item_ptr(leaf, path->slots[0],
Domain: System / System Framework Device Management;