Bug fixes for currently harmless bugs that could rise to bite

the unwary if the code were called in slightly different ways. 1) In ufs_bmaparray() the code for calculating 'runb' will stop one block short of the first entry in an indirect block. i.e. if an indirect block contains N block numbers b[0]..b[N-1] then the code will never check if b[0] and b[1] are sequential. For reference, compare with the equivalent code that deals with direct blocks. 2) In ufs_lookup() there is an off-by-one error in the test that checks if dp->i_diroff is outside the range of the the current directory size. This is completely harmless, since the following while-loop condition 'dp->i_offset < endsearch' is never met, so the code immediately does a second pass starting at dp->i_offset = 0. 3) Again in ufs_lookup(), the condition in a sanity check is wrong for directories that are longer than one block. This bug means that the sanity check is only effective for small directories. Submitted by: Ian Dowse <iedowse@maths.tcd.ie>
2000-03-15 07:18:15 +00:00 · 2000-03-15 07:18:15 +00:00 · 15e549f668
commit 15e549f668
parent 9f043878d0
4 changed files with 6 additions and 6 deletions
--- a/sys/gnu/ext2fs/ext2_bmap.c
+++ b/sys/gnu/ext2fs/ext2_bmap.c
@ -214,7 +214,7 @@ ufs_bmaparray(vp, bn, bnp, ap, nump, runp, runb)
 			    ++bn, ++*runp);
 			bn = xap->in_off;
 			if (runb && bn) {
-				for(--bn; bn > 0 && *runb < maxrun &&
+				for(--bn; bn >= 0 && *runb < maxrun &&
 			    		is_sequential(ump, ((daddr_t *)bp->b_data)[bn],
 					    ((daddr_t *)bp->b_data)[bn+1]);
 			    		--bn, ++*runb);
--- a/sys/gnu/fs/ext2fs/ext2_bmap.c
+++ b/sys/gnu/fs/ext2fs/ext2_bmap.c
@ -214,7 +214,7 @@ ufs_bmaparray(vp, bn, bnp, ap, nump, runp, runb)
 			    ++bn, ++*runp);
 			bn = xap->in_off;
 			if (runb && bn) {
-				for(--bn; bn > 0 && *runb < maxrun &&
+				for(--bn; bn >= 0 && *runb < maxrun &&
 			    		is_sequential(ump, ((daddr_t *)bp->b_data)[bn],
 					    ((daddr_t *)bp->b_data)[bn+1]);
 			    		--bn, ++*runb);
--- a/sys/ufs/ufs/ufs_bmap.c
+++ b/sys/ufs/ufs/ufs_bmap.c
@ -214,7 +214,7 @@ ufs_bmaparray(vp, bn, bnp, ap, nump, runp, runb)
 			    ++bn, ++*runp);
 			bn = xap->in_off;
 			if (runb && bn) {
-				for(--bn; bn > 0 && *runb < maxrun &&
+				for(--bn; bn >= 0 && *runb < maxrun &&
 			    		is_sequential(ump, ((daddr_t *)bp->b_data)[bn],
 					    ((daddr_t *)bp->b_data)[bn+1]);
 			    		--bn, ++*runb);
--- a/sys/ufs/ufs/ufs_lookup.c
+++ b/sys/ufs/ufs/ufs_lookup.c
@ -192,7 +192,7 @@ ufs_lookup(ap)
 	 */
 	bmask = VFSTOUFS(vdp->v_mount)->um_mountp->mnt_stat.f_iosize - 1;
 	if (nameiop != LOOKUP || dp->i_diroff == 0 ||
-	    dp->i_diroff > dp->i_size) {
+	    dp->i_diroff >= dp->i_size) {
 		entryoffsetinblock = 0;
 		dp->i_offset = 0;
 		numdirpasses = 1;
@ -411,9 +411,9 @@ ufs_lookup(ap)
 	 * Check that directory length properly reflects presence
 	 * of this entry.
 	 */
-	if (entryoffsetinblock + DIRSIZ(OFSFMT(vdp), ep) > dp->i_size) {
+	if (dp->i_offset + DIRSIZ(OFSFMT(vdp), ep) > dp->i_size) {
 		ufs_dirbad(dp, dp->i_offset, "i_size too small");
-		dp->i_size = entryoffsetinblock + DIRSIZ(OFSFMT(vdp), ep);
+		dp->i_size = dp->i_offset + DIRSIZ(OFSFMT(vdp), ep);
 		dp->i_flag |= IN_CHANGE | IN_UPDATE;
 	}
 	brelse(bp);