summaryrefslogtreecommitdiff
path: root/lib/util
diff options
context:
space:
mode:
authorRusty Russell <rusty@rustcorp.com.au>2010-12-06 13:35:50 +1030
committerRusty Russell <rusty@rustcorp.com.au>2010-12-06 05:02:22 +0100
commit521e96ca751df072e5c71d3844ed5708b79ac69d (patch)
treed8fbcb3d84a1a50fb2d5e32cc10fbf6af7292428 /lib/util
parentaf5649d5f87e0c8b85eb950a253a4e65cca8ccd0 (diff)
downloadsamba-521e96ca751df072e5c71d3844ed5708b79ac69d.tar.gz
samba-521e96ca751df072e5c71d3844ed5708b79ac69d.tar.bz2
samba-521e96ca751df072e5c71d3844ed5708b79ac69d.zip
idtree: fix overflow for v. large ids on allocation and removal
Chris Cowan tracked down a SEGV in sub_alloc: idp->level can actually be equal to 7 (MAX_LEVEL) there, as it can be in sub_remove. (We unfairly blamed a shift of a signed var for this crash in commit 2db1987f5a3a). Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Autobuild-User: Rusty Russell <rusty@rustcorp.com.au> Autobuild-Date: Mon Dec 6 05:02:22 CET 2010 on sn-devel-104
Diffstat (limited to 'lib/util')
-rw-r--r--lib/util/idtree.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/util/idtree.c b/lib/util/idtree.c
index 6611992a25..3648761069 100644
--- a/lib/util/idtree.c
+++ b/lib/util/idtree.c
@@ -104,7 +104,7 @@ static int sub_alloc(struct idr_context *idp, void *ptr, int *starting_id)
{
int n, m, sh;
struct idr_layer *p, *pn;
- struct idr_layer *pa[MAX_LEVEL];
+ struct idr_layer *pa[MAX_LEVEL+1];
unsigned int l, id, oid;
uint32_t bm;