diff options
author | Tim Chase <[email protected]> | 2019-04-10 17:38:21 -0500 |
---|---|---|
committer | Brian Behlendorf <[email protected]> | 2019-04-10 15:38:21 -0700 |
commit | 8cb34421e0bf1fea316d16014483d61381a41f57 (patch) | |
tree | 442ec4c1919545a1d1d44b6ac822b16a02e21267 | |
parent | 5ae4e4481eede259a64260ab1b09f86ff46c8f8d (diff) |
Avoid stack overwrite in zfs_setattr_dir()
The bulk[] array index, count, must be reset per-iteration in order to
not overwrite the stack.
Reviewed-by: Brian Behlendorf <[email protected]>
Reviewed-by: Chris Dunlop <[email protected]>
Reviewed-by: Tom Caputi <[email protected]>
Signed-off-by: Tim Chase <[email protected]>
Closes #8072
Closes #8597
Closes #8601
-rw-r--r-- | module/zfs/zfs_vnops.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/module/zfs/zfs_vnops.c b/module/zfs/zfs_vnops.c index c77101485..0de75a891 100644 --- a/module/zfs/zfs_vnops.c +++ b/module/zfs/zfs_vnops.c @@ -2710,11 +2710,12 @@ zfs_setattr_dir(znode_t *dzp) dmu_tx_t *tx = NULL; uint64_t uid, gid; sa_bulk_attr_t bulk[4]; - int count = 0; + int count; int err; zap_cursor_init(&zc, os, dzp->z_id); while ((err = zap_cursor_retrieve(&zc, &zap)) == 0) { + count = 0; if (zap.za_integer_length != 8 || zap.za_num_integers != 1) { err = ENXIO; break; |