Module Name: src Committed By: dholland Date: Sun Sep 20 04:50:58 UTC 2015
Modified Files: src/sys/ufs/lfs: lfs_accessors.h Log Message: Fix glaringly stupid overflow/sizing bug in -r1.25. The part I don't get is how it passed testing... To generate a diff of this commit: cvs rdiff -u -r1.27 -r1.28 src/sys/ufs/lfs/lfs_accessors.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/ufs/lfs/lfs_accessors.h diff -u src/sys/ufs/lfs/lfs_accessors.h:1.27 src/sys/ufs/lfs/lfs_accessors.h:1.28 --- src/sys/ufs/lfs/lfs_accessors.h:1.27 Tue Sep 15 15:02:25 2015 +++ src/sys/ufs/lfs/lfs_accessors.h Sun Sep 20 04:50:58 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: lfs_accessors.h,v 1.27 2015/09/15 15:02:25 dholland Exp $ */ +/* $NetBSD: lfs_accessors.h,v 1.28 2015/09/20 04:50:58 dholland Exp $ */ /* from NetBSD: lfs.h,v 1.165 2015/07/24 06:59:32 dholland Exp */ /* from NetBSD: dinode.h,v 1.22 2013/01/22 09:39:18 dholland Exp */ @@ -317,11 +317,16 @@ static __unused inline void lfs_copydirname(STRUCT_LFS *fs, char *dest, const char *src, unsigned namlen, unsigned reclen) { + unsigned spacelen; + + KASSERT(reclen > sizeof(struct lfs_dirheader)); + spacelen = reclen - sizeof(struct lfs_dirheader); + /* must always be at least 1 byte as a null terminator */ - KASSERT(reclen > namlen); + KASSERT(spacelen > namlen); memcpy(dest, src, namlen); - memset(dest + namlen, '\0', reclen - namlen); + memset(dest + namlen, '\0', spacelen - namlen); } /*