Re: port-vax/41315: off by one error in vfs_dirhash.c

[christos%zoulas.com@localhost (Christos Zoulas)]

The following reply was made to PR kern/41315; it has been noted by GNATS.

From: christos%zoulas.com@localhost (Christos Zoulas)
To: gnats-bugs%NetBSD.org@localhost, port-vax-maintainer%netbsd.org@localhost, 
        gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost
Cc: 
Subject: Re: port-vax/41315: off by one error in vfs_dirhash.c
Date: Fri, 1 May 2009 10:35:16 -0400

 On May 1,  2:55am, lidl%pix.net@localhost (lidl%pix.net@localhost) wrote:
 -- Subject: port-vax/41315: off by one error in vfs_dirhash.c
 
 | >Number:         41315
 | >Category:       port-vax
 | >Synopsis:       off by one error in vfs_dirhash.c
 | >Confidential:   no
 | >Severity:       serious
 | >Priority:       medium
 | >Responsible:    port-vax-maintainer
 | >State:          open
 | >Class:          sw-bug
 | >Submitter-Id:   net
 | >Arrival-Date:   Fri May 01 02:55:00 +0000 2009
 | >Originator:     Kurt Lidl
 | >Release:        netbsd-5-RC4
 | >Organization:
 | >Environment:
 | cross-compile of netbsd-5-RC4 from solaris for a vax
 | I noticed the problem compiling for a vax, but it's
 | a MI kernel file.
 | >Description:
 | I whacked up a gcc 4.4.1-prerelease to build the netbsd-vax
 | tree.  (I've not updated to netbsd-5 release, but will soon.)
 | 
 | Anyway, it complains thusly:
 | 
 | #   compile  GENERIC/ncr53c9x.o
 | /nbsd/vax-5/tools/bin/vax--netbsdelf-gcc -fno-pic -ffreestanding #   compile 
 GENERIC/vfs_dirhash.o
 | /nbsd/vax-5/tools/bin/vax--netbsdelf-gcc -fno-pic -ffreestanding 
-fno-zero-initialized-in-bss -g -pipe -O2 -std=gnu99 -fno-strict-aliasing 
-Werror -Wall -Wno-main -Wno-format-zero-length -Wpointer-arith 
-Wmissing-prototypes -Wstrict-prototypes -Wswitch -Wshadow -Wcast-qual 
-Wwrite-strings -Wno-unreachable-code -Wno-sign-compare -Wno-pointer-sign 
-Wno-attributes -Werror -D_VAX_INLINE_ -I. -I/nbsd/nbsd-5/sys/../common/include 
-I/nbsd/nbsd-5/sys/arch -I/nbsd/nbsd-5/sys -nostdinc -DLKM -DMAXUSERS=8 
-D_KERNEL -D_KERNEL_OPT 
-I/nbsd/nbsd-5/sys/lib/libkern/../../../common/lib/libc/quad 
-I/nbsd/nbsd-5/sys/lib/libkern/../../../common/lib/libc/string 
-I/nbsd/nbsd-5/sys/lib/libkern/../../../common/lib/libc/arch/vax/string 
-I/nbsd/nbsd-5/sys/dist/ipf -c /nbsd/nbsd-5/sys/kern/vfs_dirhash.c
 | cc1: warnings being treated as errors
 | /nbsd/nbsd-5/sys/kern/vfs_dirhash.c: In function 'dirhash_purge_entries':
 | /nbsd/nbsd-5/sys/kern/vfs_dirhash.c:166: error: array subscript is above 
array bounds
 | 
 | 
 | >How-To-Repeat:
 | Do the above compile.
 | 
 | >Fix:
 | Looking at the code, a loop runs through the hash entries, and
 | stops when the index reaches max value.  Of course, the index value is
 | incremented once more (past the end of the array) and that
 | value is then used later.
 | 
 | Backing up the index counter by one should avoid the problem.
 | 
 | Index: sys/kern/vfs_dirhash.c
 | ===================================================================
 | RCS file: /cvsroot/src/sys/kern/vfs_dirhash.c,v
 | retrieving revision 1.4.2.5
 | diff -u -3 -r1.4.2.5 vfs_dirhash.c
 | --- sys/kern/vfs_dirhash.c      6 Jan 2009 23:01:49 -0000       1.4.2.5
 | +++ sys/kern/vfs_dirhash.c      30 Apr 2009 02:45:47 -0000
 | @@ -159,6 +159,7 @@
 |                 }
 |         }
 |         dirh_e = LIST_FIRST(&dirh->free_entries);
 | +       hashline--;
 | 
 |         while (dirh_e) {
 |                 LIST_REMOVE(dirh_e, next);
 
 We should pull in the fix from head.
 
 christos