diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2014-02-27 00:07:29 -0500 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2014-03-05 00:17:27 -0500 |
commit | fb099c8d2af6620db2709e826a258089d10cdfe8 (patch) | |
tree | 1af39090260dd92db522636b7f3d86d69b95ef6f | |
parent | 32f244309902243a20cff5d5d1abb1c888b5fb21 (diff) |
journal: assume that next entry is after previous entry
With a corrupted file, we can get in a situation where two entries
in the entry array point to the same object. Then journal_file_next_entry
will find the first one using generic_arrray_bisect, and try to move to
the second one, but since the address is the same, generic_array_get will
return the first one. journal_file_next_entry ends up in an infinite loop.
https://bugzilla.redhat.com/show_bug.cgi?id=1047039
-rw-r--r-- | src/journal/journal-file.c | 26 |
1 files changed, 20 insertions, 6 deletions
diff --git a/src/journal/journal-file.c b/src/journal/journal-file.c index 5876733598..0e1fc7f7bc 100644 --- a/src/journal/journal-file.c +++ b/src/journal/journal-file.c @@ -1359,7 +1359,7 @@ int journal_file_append_entry(JournalFile *f, const dual_timestamp *ts, const st } typedef struct ChainCacheItem { - uint64_t first; /* the array at the begin of the chain */ + uint64_t first; /* the array at the beginning of the chain */ uint64_t array; /* the cached array */ uint64_t begin; /* the first item in the cached array */ uint64_t total; /* the total number of items in all arrays before this one in the chain */ @@ -1945,7 +1945,7 @@ int journal_file_next_entry( direction_t direction, Object **ret, uint64_t *offset) { - uint64_t i, n; + uint64_t i, n, ofs; int r; assert(f); @@ -1986,10 +1986,24 @@ int journal_file_next_entry( } /* And jump to it */ - return generic_array_get(f, - le64toh(f->header->entry_array_offset), - i, - ret, offset); + r = generic_array_get(f, + le64toh(f->header->entry_array_offset), + i, + ret, &ofs); + if (r <= 0) + return r; + + if (p > 0 && + (direction == DIRECTION_DOWN ? ofs <= p : ofs >= p)) { + log_debug("%s: entry array corrupted at entry %"PRIu64, + f->path, i); + return -EBADMSG; + } + + if (offset) + *offset = ofs; + + return 1; } int journal_file_skip_entry( |