From 5f7b481349796cc0e90563ed01353809b403e429 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 16 Mar 2014 20:08:32 +0000 Subject: tdb: Fix a tdb corruption tdb_purge_dead can change the next pointer of "rec" if we purge the record right behind the current record to be deleted. Just overwrite the magic, not the whole record with stale data. Signed-off-by: Volker Lendecke Reviewed-by: Michael Adam Reviewed-by: Stefan Metzmacher --- lib/tdb/common/tdb.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'lib/tdb') diff --git a/lib/tdb/common/tdb.c b/lib/tdb/common/tdb.c index 1e41e84c82a..3aabcfa9e60 100644 --- a/lib/tdb/common/tdb.c +++ b/lib/tdb/common/tdb.c @@ -394,6 +394,8 @@ static int tdb_delete_hash(struct tdb_context *tdb, TDB_DATA key, uint32_t hash) if (tdb->max_dead_records != 0) { + uint32_t magic = TDB_DEAD_MAGIC; + /* * Allow for some dead records per hash chain, mainly for * tdb's with a very high create/delete rate like locking.tdb. @@ -410,8 +412,9 @@ static int tdb_delete_hash(struct tdb_context *tdb, TDB_DATA key, uint32_t hash) /* * Just mark the record as dead. */ - rec.magic = TDB_DEAD_MAGIC; - ret = tdb_rec_write(tdb, rec_ptr, &rec); + ret = tdb_ofs_write( + tdb, rec_ptr + offsetof(struct tdb_record, magic), + &magic); } else { ret = tdb_do_delete(tdb, rec_ptr, &rec); -- cgit