[PATCH] io_u_qiter: Fix buffer overrun

Flexible I/O Tester development
 help / color / mirror / Atom feed

From: Sitsofe Wheeler <sitsofe@yahoo.com>
To: "fio@vger.kernel.org" <fio@vger.kernel.org>
Subject: [PATCH] io_u_qiter: Fix buffer overrun
Date: Thu, 13 Feb 2014 07:06:40 +0000	[thread overview]
Message-ID: <20140213070625.GA9117@sucs.org> (raw)

In io_u_queue.h the io_u_qiter macro is loops around io_u_queue
structures. The problem comes with the end of loop initialisation:
i++, io_u = (q)->io_us[i]
For example, if io_us consists of one element and i is 0 then after the
first iteration is completed i++, io_u = (q)->io_us[i] will access
beyond the end of io_us.

Fix this by moving io_u initialisation to the expression part of the for
loop (yuck).

Found by Dr Memory.

Signed-off-by: Sitsofe Wheeler <sitsofe@yahoo.com>
---
 io_u_queue.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/io_u_queue.h b/io_u_queue.h
index 4f6e8e6..5b6cad0 100644
--- a/io_u_queue.h
+++ b/io_u_queue.h
@@ -29,7 +29,7 @@ static inline int io_u_qempty(struct io_u_queue *q)
 }

 #define io_u_qiter(q, io_u, i)	\
-	for (i = 0, io_u = (q)->io_us[0]; i < (q)->nr; i++, io_u = (q)->io_us[i])
+	for (i = 0; i < (q)->nr && (io_u = (q)->io_us[i]); i++)

 int io_u_qinit(struct io_u_queue *q, unsigned int nr);
 void io_u_qexit(struct io_u_queue *q);
-- 
1.8.5.3

-- 
Sitsofe | http://sucs.org/~sits/

next             reply	other threads:[~2014-02-13  7:06 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-02-13  7:06 Sitsofe Wheeler [this message]
2014-02-13 16:17 ` [PATCH] io_u_qiter: Fix buffer overrun Jens Axboe
2014-02-13 20:05   ` Sitsofe Wheeler
2014-02-13 20:34     ` Jens Axboe

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:4f6e8e6 dfblob:5b6cad0 )
 OR (
bs:"[PATCH] io_u_qiter: Fix buffer overrun" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140213070625.GA9117@sucs.org \
    --to=sitsofe@yahoo.com \
    --cc=fio@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox