idtree: fix overflow for v. large ids on allocation and removal

Chris Cowan tracked down a SEGV in sub_alloc: idp->level can actually
be equal to 7 (MAX_LEVEL) there, as it can be in sub_remove.

(We unfairly blamed a shift of a signed var for this crash in commit
 2db1987f5a3a).

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Autobuild-User: Rusty Russell <rusty@rustcorp.com.au>
Autobuild-Date: Mon Dec  6 05:02:22 CET 2010 on sn-devel-104

diff --git a/lib/util/idtree.c b/lib/util/idtree.c
index 6611992a25ff887fbfe1340e139fb99d92f7cff6..364876106929a545441eb3c165e31cc5024a7082 100644 (file)
--- a/lib/util/idtree.c
+++ b/lib/util/idtree.c
@@ -104,7 +104,7 @@ static int sub_alloc(struct idr_context *idp, void *ptr, int *starting_id)
 {
        int n, m, sh;
        struct idr_layer *p, *pn;
-       struct idr_layer *pa[MAX_LEVEL];
+       struct idr_layer *pa[MAX_LEVEL+1];
        unsigned int l, id, oid;
        uint32_t bm;