tdb: Fix a tdb corruption

tdb_purge_dead can change the next pointer of "rec" if we purge the record
right behind the current record to be deleted. Just overwrite the magic,
not the whole record with stale data.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/lib/tdb/common/tdb.c b/lib/tdb/common/tdb.c
index 1e41e84c82ad676fc376bdbb2b343d85c4851d10..3aabcfa9e606671efc19114ee954150133d28ccd 100644 (file)
--- a/lib/tdb/common/tdb.c
+++ b/lib/tdb/common/tdb.c
@@ -394,6 +394,8 @@ static int tdb_delete_hash(struct tdb_context *tdb, TDB_DATA key, uint32_t hash)
 
        if (tdb->max_dead_records != 0) {
 
+               uint32_t magic = TDB_DEAD_MAGIC;
+
                /*
                 * Allow for some dead records per hash chain, mainly for
                 * tdb's with a very high create/delete rate like locking.tdb.
@@ -410,8 +412,9 @@ static int tdb_delete_hash(struct tdb_context *tdb, TDB_DATA key, uint32_t hash)
                /*
                 * Just mark the record as dead.
                 */
-               rec.magic = TDB_DEAD_MAGIC;
-               ret = tdb_rec_write(tdb, rec_ptr, &rec);
+               ret = tdb_ofs_write(
+                       tdb, rec_ptr + offsetof(struct tdb_record, magic),
+                       &magic);
        }
        else {
                ret = tdb_do_delete(tdb, rec_ptr, &rec);