xfs
[Top] [All Lists]

RE: [PATCH] SGI-PV: Read buffer overflow

To: "Roel Kluin" <roel.kluin@xxxxxxxxx>
Subject: RE: [PATCH] SGI-PV: Read buffer overflow
From: "Alex Elder" <aelder@xxxxxxx>
Date: Mon, 3 Aug 2009 14:11:48 -0500
Cc: <felixb@xxxxxxx>, <xfs@xxxxxxxxxxx>, "Andrew Morton" <akpm@xxxxxxxxxxxxxxxxxxxx>
In-reply-to: <4A7575EF.8070404@xxxxxxxxx>
Thread-index: AcoTZeVC+3OH8VKwTV680iMd89YUlgBBwExA
Thread-topic: [PATCH] SGI-PV: Read buffer overflow
> Check whether index is within bounds before grabbing the element.
> 
> Signed-off-by: Roel Kluin <roel.kluin@xxxxxxxxx>
> ---
> diff --git a/fs/xfs/xfs_da_btree.c b/fs/xfs/xfs_da_btree.c
> index 9ff6e57..ef1d275 100644
> --- a/fs/xfs/xfs_da_btree.c
> +++ b/fs/xfs/xfs_da_btree.c
> @@ -1414,8 +1414,9 @@ xfs_da_path_shift(xfs_da_state_t 
> *state, xfs_da_state_path_t *path,
>       ASSERT(args != NULL);
>       ASSERT(path != NULL);
>       ASSERT((path->active > 0) && (path->active < XFS_DA_NODE_MAXDEPTH));
> -     level = (path->active-1) - 1;   /* skip bottom layer in path */
> -     for (blk = &path->blk[level]; level >= 0; blk--, level--) {
> +     /* skip bottom layer in path */
> +     for (level = (path->active-1) - 1; level >= 0; blk--, level--) {

No need to decrement "blk" above.  You are reassigning it anyway
in the next statement.

> +             blk = &path->blk[level];
>               ASSERT(blk->bp != NULL);
>               node = blk->bp->data;
>               ASSERT(be16_to_cpu(node->hdr.info.magic) == XFS_DA_NODE_MAGIC);

Note that if level were < 0 upon entry to the loop in its previous
form, then the computed value of blk would never have been used.

                                        -Alex

<Prev in Thread] Current Thread [Next in Thread>