A segmentation fault can be triggered by setting many xattrs to a file and then deleting it. The number must be high enough for more than one b-tree node to be needed for storage. When hfs_brec_remove() is called as part of hfsplus_delete_all_attrs(), fd->search_key will not be set to any specific value. It does not matter because we intend to remove all records for a given cnid. The problem is that hfs_brec_remove() assumes it is being called with the result of a search by key, not by cnid. The value of search_key may be used to update the parent nodes. When no appropriate parent record is found, the result is an out of bounds access. To fix this, set the value of fd->search_key to the key of the first record in the node, which is also the key of the corresponding parent record. Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@xxxxxxxxx> --- fs/hfsplus/brec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/hfsplus/brec.c b/fs/hfsplus/brec.c index 754fdf8..dfa60cf 100644 --- a/fs/hfsplus/brec.c +++ b/fs/hfsplus/brec.c @@ -182,6 +182,9 @@ int hfs_brec_remove(struct hfs_find_data *fd) tree = fd->tree; node = fd->bnode; + + /* in case we need to search the parent node */ + hfs_bnode_read_key(node, fd->search_key, 14); again: rec_off = tree->node_size - (fd->record + 2) * 2; end_off = tree->node_size - (node->num_recs + 1) * 2; -- 2.1.4
