[dm-devel] Segment fault in datastruct/hash.c

[Xinwei Hu <hxinwei gmail com>]

Hi all,

  Found by Anders Johansson <ajohansson novell com>, vgscan may
segment in datastruct/hash.c at
memcmp(key, (*c)->key, len). It happens because the (*c)->key is much
shorter than the key, and the
memory area following (*c)->key is unaccessable at the time.

(gdb) p (*c)->key
$1 = 0x80229fb4 "/dev/disk/by-id/ccw-LXD332"
(gdb) x/80cb 0x80229fb4
0x80229fb4:	47 '/'	100 'd'	101 'e'	118 'v'	47 '/'	100 'd'	105 'i'	115 's'
0x80229fbc:	107 'k'	47 '/'	98 'b'	121 'y'	45 '-'	105 'i'	100 'd'	47 '/'
0x80229fc4:	99 'c'	99 'c'	119 'w'	45 '-'	76 'L'	88 'X'	68 'D'	51 '3'
0x80229fcc:	51 '3'	50 '2'	0 '\0'	0 '\0'	0 '\0'	0 '\0'	0 '\0'	0 '\0'
0x80229fd4:	0 '\0'	0 '\0'	0 '\0'	0 '\0'	0 '\0'	0 '\0'	0 '\0'	0 '\0'
0x80229fdc:	0 '\0'	0 '\0'	0 '\0'	49 '1'	0 '\0'	0 '\0'	0 '\0'	0 '\0'
0x80229fe4:	0 '\0'	0 '\0'	0 '\0'	0 '\0'	0 '\0'	0 '\0'	0 '\0'	0 '\0'
0x80229fec:	0 '\0'	0 '\0'	0 '\0'	0 '\0'	0 '\0'	0 '\0'	0 '\0'	0 '\0'
0x80229ff4:	0 '\0'	0 '\0'	0 '\0'	0 '\0'	0 '\0'	0 '\0'	0 '\0'	0 '\0'
0x80229ffc:	0 '\0'	0 '\0'	0 '\0'	0 '\0'	Cannot access memory at
address 0x8022a000

  I generate a patch against the latest git tree. Please consider it
for inclusion.

  Thanks.

diff --git a/libdm/datastruct/hash.c b/libdm/datastruct/hash.c
index 9f8eff6..16d8896 100644
--- a/libdm/datastruct/hash.c
+++ b/libdm/datastruct/hash.c
@@ -143,9 +143,13 @@ static struct dm_hash_node **_find(struct dm_hash_table *t, const char *key,
 	unsigned h = _hash(key, len) & (t->num_slots - 1);
 	struct dm_hash_node **c;
 
-	for (c = &t->slots[h]; *c; c = &((*c)->next))
+	for (c = &t->slots[h]; *c; c = &((*c)->next)) {
+		if ((*c)->keylen != len)
+			continue
+
 		if (!memcmp(key, (*c)->key, len))
 			break;
+	}
 
 	return c;
 }