port-vax/41315: off by one error in vfs_dirhash.c

To: port-vax-maintainer%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: port-vax/41315: off by one error in vfs_dirhash.c
From: lidl%pix.net@localhost
Date: Fri, 1 May 2009 02:55:00 +0000 (UTC)

>Number:         41315
>Category:       port-vax
>Synopsis:       off by one error in vfs_dirhash.c
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    port-vax-maintainer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri May 01 02:55:00 +0000 2009
>Originator:     Kurt Lidl
>Release:        netbsd-5-RC4
>Organization:
>Environment:
cross-compile of netbsd-5-RC4 from solaris for a vax
I noticed the problem compiling for a vax, but it's
a MI kernel file.
>Description:
I whacked up a gcc 4.4.1-prerelease to build the netbsd-vax
tree.  (I've not updated to netbsd-5 release, but will soon.)

Anyway, it complains thusly:

#   compile  GENERIC/ncr53c9x.o
/nbsd/vax-5/tools/bin/vax--netbsdelf-gcc -fno-pic -ffreestanding #   compile  
GENERIC/vfs_dirhash.o
/nbsd/vax-5/tools/bin/vax--netbsdelf-gcc -fno-pic -ffreestanding 
-fno-zero-initialized-in-bss -g -pipe -O2 -std=gnu99 -fno-strict-aliasing 
-Werror -Wall -Wno-main -Wno-format-zero-length -Wpointer-arith 
-Wmissing-prototypes -Wstrict-prototypes -Wswitch -Wshadow -Wcast-qual 
-Wwrite-strings -Wno-unreachable-code -Wno-sign-compare -Wno-pointer-sign 
-Wno-attributes -Werror -D_VAX_INLINE_ -I. -I/nbsd/nbsd-5/sys/../common/include 
-I/nbsd/nbsd-5/sys/arch -I/nbsd/nbsd-5/sys -nostdinc -DLKM -DMAXUSERS=8 
-D_KERNEL -D_KERNEL_OPT 
-I/nbsd/nbsd-5/sys/lib/libkern/../../../common/lib/libc/quad 
-I/nbsd/nbsd-5/sys/lib/libkern/../../../common/lib/libc/string 
-I/nbsd/nbsd-5/sys/lib/libkern/../../../common/lib/libc/arch/vax/string 
-I/nbsd/nbsd-5/sys/dist/ipf -c /nbsd/nbsd-5/sys/kern/vfs_dirhash.c
cc1: warnings being treated as errors
/nbsd/nbsd-5/sys/kern/vfs_dirhash.c: In function 'dirhash_purge_entries':
/nbsd/nbsd-5/sys/kern/vfs_dirhash.c:166: error: array subscript is above array 
bounds


>How-To-Repeat:
Do the above compile.

>Fix:
Looking at the code, a loop runs through the hash entries, and
stops when the index reaches max value.  Of course, the index value is
incremented once more (past the end of the array) and that
value is then used later.

Backing up the index counter by one should avoid the problem.

Index: sys/kern/vfs_dirhash.c
===================================================================
RCS file: /cvsroot/src/sys/kern/vfs_dirhash.c,v
retrieving revision 1.4.2.5
diff -u -3 -r1.4.2.5 vfs_dirhash.c
--- sys/kern/vfs_dirhash.c      6 Jan 2009 23:01:49 -0000       1.4.2.5
+++ sys/kern/vfs_dirhash.c      30 Apr 2009 02:45:47 -0000
@@ -159,6 +159,7 @@
                }
        }
        dirh_e = LIST_FIRST(&dirh->free_entries);
+       hashline--;

        while (dirh_e) {
                LIST_REMOVE(dirh_e, next);

Follow-Ups:
- Re: port-vax/41315: off by one error in vfs_dirhash.c
  - From: Christos Zoulas

Prev by Date: port-vax/41316: cannot compile sys/netinet6/ip6_input.c with gcc 4.4.1-prerelease
Next by Date: PR/41314 CVS commit: src/sys/dev/ic
Previous by Thread: port-vax/41316: cannot compile sys/netinet6/ip6_input.c with gcc 4.4.1-prerelease
Next by Thread: Re: port-vax/41315: off by one error in vfs_dirhash.c
Indexes:

Home | Main Index | Thread Index | Old Index