https://github.com/krb5/krb5/commit/537aba0dda3a1f696f10fde56348fde06d88939c
commit 537aba0dda3a1f696f10fde56348fde06d88939c
Author: Tom Yu <tlyu at mit.edu>
Date: Wed Sep 7 17:28:34 2016 -0400
Fix unaligned accesses in bt_split.c
In the libdb2 btree back end, splitting a page at an overflow key
could result in an unaligned access, causing a crash (and data
corruption) on platforms with strict alignment. This probably occurs
only rarely in practice.
ticket: 8493 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup
src/plugins/kdb/db2/libdb2/btree/bt_split.c | 18 ++++++++++++------
1 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_split.c b/src/plugins/kdb/db2/libdb2/btree/bt_split.c
index 2460aa5..c5f151d 100644
--- a/src/plugins/kdb/db2/libdb2/btree/bt_split.c
+++ b/src/plugins/kdb/db2/libdb2/btree/bt_split.c
@@ -245,9 +245,12 @@ __bt_split(t, sp, key, data, flags, ilen, argskip)
WR_BINTERNAL(dest, nksize ? nksize : bl->ksize,
rchild->pgno, bl->flags & P_BIGKEY);
memmove(dest, bl->bytes, nksize ? nksize : bl->ksize);
- if (bl->flags & P_BIGKEY &&
- bt_preserve(t, *(db_pgno_t *)bl->bytes) == RET_ERROR)
- goto err1;
+ if (bl->flags & P_BIGKEY) {
+ db_pgno_t pgno;
+ memcpy(&pgno, bl->bytes, sizeof(pgno));
+ if (bt_preserve(t, pgno) == RET_ERROR)
+ goto err1;
+ }
break;
case P_RINTERNAL:
/*
@@ -568,9 +571,12 @@ bt_broot(t, h, l, r)
* If the key is on an overflow page, mark the overflow chain
* so it isn't deleted when the leaf copy of the key is deleted.
*/
- if (bl->flags & P_BIGKEY &&
- bt_preserve(t, *(db_pgno_t *)bl->bytes) == RET_ERROR)
- return (RET_ERROR);
+ if (bl->flags & P_BIGKEY) {
+ db_pgno_t pgno;
+ memcpy(&pgno, bl->bytes, sizeof(pgno));
+ if (bt_preserve(t, pgno) == RET_ERROR)
+ return (RET_ERROR);
+ }
break;
case P_BINTERNAL:
bi = GETBINTERNAL(r, 0);