-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Hans -
I've been playing around with the Coverity code checker, and while I
think it still sees a few too many false positives, it's a good tool.
Anyway, one of the potential bugs it came up with in reiserfs was this one:
struct tree_balance contains a number of arrays of size MAX_HEIGHT (5).
In fix_nodes(), line 2502, we see:
p_s_tb->insert_size[n_h + 1] =
(DC_SIZE + KEY_SIZE) * (p_s_tb->blknum[n_h]
- - 1);
I haven't run a thorough analysis, but is it possible for n_h to be 4
there, and then n_h + 1 would be 5, overrunning into the next field of
struct tree_balance? The tool seems to think so, but it also thought
that not checking that dentry->d_inode != NULL after calling
inode->i_op->mkdir was invalid, even though a successful return value
implies that dentry->d_inode != NULL.
- -Jeff
- --
Jeff Mahoney
SUSE Labs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFEGIkGLPWxlyuTD7IRAno5AJ92Qql/sMnii2Kk2VdFlLs/Hbpc3ACffcjT
qsw0pCCjm2DfeMA67n5sLu4=
=1bzF
-----END PGP SIGNATURE-----
