From: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
The fzero_f function doesn't check that there are enough non-switch
parameters to supply offset and length arguments to fallocate. As a
result, we can walk off the end of the argv array and crash. A
secondary problem is that we don't use getopt to detect the -k, which is
not how most xfs_io commands work.
Therefore, use getopt to detect the -k argument and rewire the offset
and length interpretation code to check optind and use argv correctly.
This bug is trivially reproduced by "xfs_io -c 'fzero -k 0' /some/file".
Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
---
io/prealloc.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/io/prealloc.c b/io/prealloc.c
index 9a372bae..6d452354 100644
--- a/io/prealloc.c
+++ b/io/prealloc.c
@@ -285,18 +285,24 @@ fzero_f(
{
xfs_flock64_t segment;
int mode = FALLOC_FL_ZERO_RANGE;
- int index = 1;
+ int c;
- if (strncmp(argv[index], "-k", 3) == 0) {
- mode |= FALLOC_FL_KEEP_SIZE;
- index++;
+ while ((c = getopt(argc, argv, "k")) != EOF) {
+ switch (c) {
+ case 'k':
+ mode |= FALLOC_FL_KEEP_SIZE;
+ break;
+ default:
+ command_usage(&fzero_cmd);
+ }
}
+ if (optind != argc - 2)
+ return command_usage(&fzero_cmd);
- if (!offset_length(argv[index], argv[index + 1], &segment))
+ if (!offset_length(argv[optind], argv[optind + 1], &segment))
return 0;
- if (fallocate(file->fd, mode,
- segment.l_start, segment.l_len)) {
+ if (fallocate(file->fd, mode, segment.l_start, segment.l_len)) {
perror("fallocate");
return 0;
}
