Static overrun in reiser3

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jeff Mahoney <jeffm@suse.com>
To: Hans Reiser <reiser@namesys.com>,
	ReiserFS List <reiserfs-list@namesys.com>
Subject: Static overrun in reiser3
Date: Wed, 15 Mar 2006 16:37:11 -0500	[thread overview]
Message-ID: <44188907.50100@suse.com> (raw)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Hans -

I've been playing around with the Coverity code checker, and while I
think it still sees a few too many false positives, it's a good tool.

Anyway, one of the potential bugs it came up with in reiserfs was this one:

struct tree_balance contains a number of arrays of size MAX_HEIGHT (5).
In fix_nodes(), line 2502, we see:
                        p_s_tb->insert_size[n_h + 1] =
                            (DC_SIZE + KEY_SIZE) * (p_s_tb->blknum[n_h]
- - 1);

I haven't run a thorough analysis, but is it possible for n_h to be 4
there, and then n_h + 1 would be 5, overrunning into the next field of
struct tree_balance? The tool seems to think so, but it also thought
that not checking that dentry->d_inode != NULL after calling
inode->i_op->mkdir was invalid, even though a successful return value
implies that dentry->d_inode != NULL.

- -Jeff

- --
Jeff Mahoney
SUSE Labs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEGIkGLPWxlyuTD7IRAno5AJ92Qql/sMnii2Kk2VdFlLs/Hbpc3ACffcjT
qsw0pCCjm2DfeMA67n5sLu4=
=1bzF
-----END PGP SIGNATURE-----

next             reply	other threads:[~2006-03-15 21:37 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-03-15 21:37 Jeff Mahoney [this message]
2006-03-15 21:49 ` Static overrun in reiser3 Hans Reiser
2006-03-15 21:56   ` Jeff Mahoney
2006-03-15 22:01     ` Hans Reiser
2006-03-15 22:07       ` Jeff Mahoney
2006-03-16  2:40       ` Valdis.Kletnieks

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=44188907.50100@suse.com \
    --to=jeffm@suse.com \
    --cc=reiser@namesys.com \
    --cc=reiserfs-list@namesys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.