From: Darrick J. Wong <darrick.wong@xxxxxxxxxx> If I run the following command: xfs_db /dev/sdf -x -c 'agf 0' -c 'addr refcntroot' -c 'addr ptrs[1]\' then ftok_free crashes on an invalid free() because picking up the previous token (the closing bracket) xrealloc'd the token array to be 5 elements long but never set the last element's tok pointer. Consequently the ftok_free tries to free whatever garbage pointer is in that last element and kaboom. Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx> --- db/flist.c | 1 + 1 file changed, 1 insertion(+) diff --git a/db/flist.c b/db/flist.c index e11acbf..b207354 100644 --- a/db/flist.c +++ b/db/flist.c @@ -400,6 +400,7 @@ flist_split( strncpy(a, s, l); a[l] = '\0'; v = xrealloc(v, (nv + 2) * sizeof(*v)); + v[nv + 1].tok = NULL; v[nv].tok = a; v[nv].tokty = t; nv++; -- To unsubscribe from this list: send the line "unsubscribe linux-xfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
