From: Rusty Russell <rusty@rustcorp.com.au>
Date: Mon, 6 Dec 2010 03:22:38 +0000 (+1030)
Subject: idtree: fix overflow for v. large ids on allocation and removal
X-Git-Url: http://git.samba.org/?p=sahlberg%2Fctdb.git;a=commitdiff_plain;h=6ef0c82222bdae6cf4163b05e2488a582230c5e4

idtree: fix overflow for v. large ids on allocation and removal

(Imported from SAMBA commit 09a6538969ac).

Chris Cowan tracked down a SEGV in sub_alloc: idp->level can actually
be equal to 7 (MAX_LEVEL) there, as it can be in sub_remove.

(We unfairly blamed a shift of a signed var for this crash in commit
 2db1987f5a3a).

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
---

diff --git a/lib/util/idtree.c b/lib/util/idtree.c
index 05c22958..09dc237f 100644
--- a/lib/util/idtree.c
+++ b/lib/util/idtree.c
@@ -104,7 +104,7 @@ static int sub_alloc(struct idr_context *idp, void *ptr, int *starting_id)
 {
 	int n, m, sh;
 	struct idr_layer *p, *new;
-	struct idr_layer *pa[MAX_LEVEL];
+	struct idr_layer *pa[MAX_LEVEL+1];
 	unsigned int l, id, oid;
 	uint32_t bm;