From: Rusty Russell <rusty@rustcorp.com.au>
Date: Mon, 6 Dec 2010 03:12:13 +0000 (+1030)
Subject: idtree: fix overflow for v. large ids on allocation and removal
X-Git-Url: https://git.ozlabs.org/?p=ccan;a=commitdiff_plain;h=c5074939f21be43eb408dbab5f6708dd74dba531;hp=9ad912e2583efd7d9927b0155688f9bc5291efdb;ds=sidebyside

idtree: fix overflow for v. large ids on allocation and removal

Chris Cowan tracked down a SEGV in sub_alloc: idp->level can actually
be equal to 7 (MAX_LEVEL) there, as it can be in sub_remove.
---

diff --git a/ccan/idtree/idtree.c b/ccan/idtree/idtree.c
index 5a26234e..b3b1d606 100644
--- a/ccan/idtree/idtree.c
+++ b/ccan/idtree/idtree.c
@@ -99,7 +99,7 @@ static int sub_alloc(struct idtree *idp, const void *ptr, int *starting_id)
 {
 	int n, m, sh;
 	struct idtree_layer *p, *pn;
-	struct idtree_layer *pa[MAX_LEVEL];
+	struct idtree_layer *pa[MAX_LEVEL+1];
 	unsigned int l, id, oid;
 	uint32_t bm;