From: Tim Chase <tim@chase2k.com>
Date: Wed, 10 Apr 2019 22:38:21 +0000 (-0500)
Subject: Avoid stack overwrite in zfs_setattr_dir()
X-Git-Tag: zfs-0.8.0-rc4~26
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8cb34421e0bf1fea316d16014483d61381a41f57;p=zfs

Avoid stack overwrite in zfs_setattr_dir()

The bulk[] array index, count, must be reset per-iteration in order to
not overwrite the stack.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Chris Dunlop <chris@onthe.net.au>
Reviewed-by: Tom Caputi <tcaputi@datto.com>
Signed-off-by: Tim Chase <tim@chase2k.com>
Closes #8072
Closes #8597
Closes #8601
---

diff --git a/module/zfs/zfs_vnops.c b/module/zfs/zfs_vnops.c
index c77101485..0de75a891 100644
--- a/module/zfs/zfs_vnops.c
+++ b/module/zfs/zfs_vnops.c
@@ -2710,11 +2710,12 @@ zfs_setattr_dir(znode_t *dzp)
 	dmu_tx_t	*tx = NULL;
 	uint64_t	uid, gid;
 	sa_bulk_attr_t	bulk[4];
-	int		count = 0;
+	int		count;
 	int		err;
 
 	zap_cursor_init(&zc, os, dzp->z_id);
 	while ((err = zap_cursor_retrieve(&zc, &zap)) == 0) {
+		count = 0;
 		if (zap.za_integer_length != 8 || zap.za_num_integers != 1) {
 			err = ENXIO;
 			break;