NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
port-vax/41315: off by one error in vfs_dirhash.c
>Number: 41315
>Category: port-vax
>Synopsis: off by one error in vfs_dirhash.c
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: port-vax-maintainer
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri May 01 02:55:00 +0000 2009
>Originator: Kurt Lidl
>Release: netbsd-5-RC4
>Organization:
>Environment:
cross-compile of netbsd-5-RC4 from solaris for a vax
I noticed the problem compiling for a vax, but it's
a MI kernel file.
>Description:
I whacked up a gcc 4.4.1-prerelease to build the netbsd-vax
tree. (I've not updated to netbsd-5 release, but will soon.)
Anyway, it complains thusly:
# compile GENERIC/ncr53c9x.o
/nbsd/vax-5/tools/bin/vax--netbsdelf-gcc -fno-pic -ffreestanding # compile
GENERIC/vfs_dirhash.o
/nbsd/vax-5/tools/bin/vax--netbsdelf-gcc -fno-pic -ffreestanding
-fno-zero-initialized-in-bss -g -pipe -O2 -std=gnu99 -fno-strict-aliasing
-Werror -Wall -Wno-main -Wno-format-zero-length -Wpointer-arith
-Wmissing-prototypes -Wstrict-prototypes -Wswitch -Wshadow -Wcast-qual
-Wwrite-strings -Wno-unreachable-code -Wno-sign-compare -Wno-pointer-sign
-Wno-attributes -Werror -D_VAX_INLINE_ -I. -I/nbsd/nbsd-5/sys/../common/include
-I/nbsd/nbsd-5/sys/arch -I/nbsd/nbsd-5/sys -nostdinc -DLKM -DMAXUSERS=8
-D_KERNEL -D_KERNEL_OPT
-I/nbsd/nbsd-5/sys/lib/libkern/../../../common/lib/libc/quad
-I/nbsd/nbsd-5/sys/lib/libkern/../../../common/lib/libc/string
-I/nbsd/nbsd-5/sys/lib/libkern/../../../common/lib/libc/arch/vax/string
-I/nbsd/nbsd-5/sys/dist/ipf -c /nbsd/nbsd-5/sys/kern/vfs_dirhash.c
cc1: warnings being treated as errors
/nbsd/nbsd-5/sys/kern/vfs_dirhash.c: In function 'dirhash_purge_entries':
/nbsd/nbsd-5/sys/kern/vfs_dirhash.c:166: error: array subscript is above array
bounds
>How-To-Repeat:
Do the above compile.
>Fix:
Looking at the code, a loop runs through the hash entries, and
stops when the index reaches max value. Of course, the index value is
incremented once more (past the end of the array) and that
value is then used later.
Backing up the index counter by one should avoid the problem.
Index: sys/kern/vfs_dirhash.c
===================================================================
RCS file: /cvsroot/src/sys/kern/vfs_dirhash.c,v
retrieving revision 1.4.2.5
diff -u -3 -r1.4.2.5 vfs_dirhash.c
--- sys/kern/vfs_dirhash.c 6 Jan 2009 23:01:49 -0000 1.4.2.5
+++ sys/kern/vfs_dirhash.c 30 Apr 2009 02:45:47 -0000
@@ -159,6 +159,7 @@
}
}
dirh_e = LIST_FIRST(&dirh->free_entries);
+ hashline--;
while (dirh_e) {
LIST_REMOVE(dirh_e, next);
Home |
Main Index |
Thread Index |
Old Index