zdb: zdb_ddt_leak_init() reads uninitialized memory when birth == 0
This was written by Jeff Bonick and was committed to OpenSolaris on November 1, 2009. It appears that Jeff meant to continue the outer loop iteration when `ddp->ddp_phys_birth == 0`, but put his check inside the inner loop. This causes a pointer to uninitialized memory to be passed to ddt_lookup() inside a VERIFY() statement whenever that condition is true. Reported-by: Coverity (CID 1524462) Reviewed-by: Damian Szuberski <szuberskidamian@gmail.com> Reviewed-by: Alexander Motin <mav@FreeBSD.org> Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu> Closes #14264
This commit is contained in:
parent
2709ace096
commit
d30db519af
|
@ -5779,9 +5779,10 @@ zdb_ddt_leak_init(spa_t *spa, zdb_cb_t *zcb)
|
|||
|
||||
ASSERT(ddt_phys_total_refcnt(&dde) > 1);
|
||||
|
||||
for (p = 0; p < DDT_PHYS_TYPES; p++, ddp++) {
|
||||
if (ddp->ddp_phys_birth == 0)
|
||||
continue;
|
||||
|
||||
for (p = 0; p < DDT_PHYS_TYPES; p++, ddp++) {
|
||||
ddt_bp_create(ddb.ddb_checksum,
|
||||
&dde.dde_key, ddp, &blk);
|
||||
if (p == DDT_PHYS_DITTO) {
|
||||
|
|
Loading…
Reference in New Issue