Avoid stack overwrite in zfs_setattr_dir()

The bulk[] array index, count, must be reset per-iteration in order to
not overwrite the stack.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Chris Dunlop <chris@onthe.net.au>
Reviewed-by: Tom Caputi <tcaputi@datto.com>
Signed-off-by: Tim Chase <tim@chase2k.com>
Closes #8072
Closes #8597
Closes #8601

diff --git a/module/zfs/zfs_vnops.c b/module/zfs/zfs_vnops.c
index c77101485ffa53b0ebc9b0ad8c9ec17a01925647..0de75a8912cf23ad0f95a200c0c5d19071ec1374 100644 (file)
--- a/module/zfs/zfs_vnops.c
+++ b/module/zfs/zfs_vnops.c
@@ -2710,11 +2710,12 @@ zfs_setattr_dir(znode_t *dzp)
        dmu_tx_t        *tx = NULL;
        uint64_t        uid, gid;
        sa_bulk_attr_t  bulk[4];
-       int             count = 0;
+       int             count;
        int             err;
 
        zap_cursor_init(&zc, os, dzp->z_id);
        while ((err = zap_cursor_retrieve(&zc, &zap)) == 0) {
+               count = 0;
                if (zap.za_integer_length != 8 || zap.za_num_integers != 1) {
                        err = ENXIO;
                        break;