idtree: fix overflow for v. large ids on allocation and removal

(Imported from SAMBA commit 09a6538969ac).

Chris Cowan tracked down a SEGV in sub_alloc: idp->level can actually
be equal to 7 (MAX_LEVEL) there, as it can be in sub_remove.

(We unfairly blamed a shift of a signed var for this crash in commit
 2db1987f5a3a).

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

diff --git a/lib/util/idtree.c b/lib/util/idtree.c
index 05c22958bf739359cc0c6f69962b067198bc27ab..09dc237f83c2eaebdecbbdcbf5068e032282d10a 100644 (file)
--- a/lib/util/idtree.c
+++ b/lib/util/idtree.c
@@ -104,7 +104,7 @@ static int sub_alloc(struct idr_context *idp, void *ptr, int *starting_id)
 {
        int n, m, sh;
        struct idr_layer *p, *new;
-       struct idr_layer *pa[MAX_LEVEL];
+       struct idr_layer *pa[MAX_LEVEL+1];
        unsigned int l, id, oid;
        uint32_t bm;