Subject: bin/35474: fsck_lfs problems
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: None <kefren@netbsd.ro>
List: netbsd-bugs
Date: 01/24/2007 09:20:00
>Number: 35474
>Category: bin
>Synopsis: fsck_lfs problems
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Jan 24 09:20:00 +0000 2007
>Originator: Mihai Chelaru
>Release: NetBSD 4.0_BETA2
>Organization:
>Environment:
System: NetBSD test-xen0.girsa.ro 4.0_BETA2 NetBSD 4.0_BETA2 (Kefren.DOM0) #0: Mon Jan 22 14:51:44 EET 2007 root@test-xen0.girsa.ro:/usr/src/sys/arch/i386/compile/Kefren.DOM0 i386
Architecture: i386
Machine: i386
>Description:
sbin/fsck_lfs/inode.c line 153:
ndb = howmany(dino.di_size, fs->lfs_bsize);
line 162:
if (--ndb == 0 && (offset = blkoff(fs, dino.di_size)) != 0) {
don't know if the above check is correct in case dino.di_size == 0
second one:
same sbin/fsck_lfs/inode.c lines 365-369:
blks = howmany(dp->di_size, fs->lfs_bsize);
if (blks > NDADDR)
blks = NDADDR + NIADDR;
inp = emalloc(sizeof(*inp) + (blks - 1) * sizeof(ufs_daddr_t));
same problem. If dp->di_size == 0 => blks = 0 and we will end up
trying to alloc a huge area of memory and crash.
>How-To-Repeat:
code inspect
>Fix:
don't know
>Unformatted: