When up-converting a RAID1 array, we need to allocate new larger arrays for

seg->areas and seg->meta_areas.  We also need to copy the memory from the
old arrays to the newly allocated arrays.  The amount of memory to copy was
determined by seg->area_count.  However, seg->area_count was being set to the
higher value after copying the 'seg->areas' information, but before copying
the 'seg->meta_areas' information.  This means we were copying more memory
than necessary for 'seg->meta_areas' - something that could lead to a segfault.

1 files changed, 1 insertions, 1 deletions

diff --git a/lib/metadata/raid_manip.c b/lib/metadata/raid_manip.c
index 19808184..c6fb1f12 100644
--- a/lib/metadata/raid_manip.c
+++ b/lib/metadata/raid_manip.c
@@ -499,7 +499,6 @@ to be left for these sub-lvs.
 		goto fail;
 	memcpy(new_areas, seg->areas, seg->area_count * sizeof(*seg->areas));
 	seg->areas = new_areas;
-	seg->area_count = new_count;
 
 	/* Expand meta_areas array */
 	if (!(new_areas = dm_pool_zalloc(lv->vg->cmd->mem,
@@ -508,6 +507,7 @@ to be left for these sub-lvs.
 	memcpy(new_areas, seg->meta_areas,
 	       seg->area_count * sizeof(*seg->meta_areas));
 	seg->meta_areas = new_areas;
+	seg->area_count = new_count;
 
 	/* Set segment areas for metadata sub_lvs */
 	s = old_count;