Hi, there is a potential off by one in function fillinusemap() leading to possible out of boundary access (32 bytes after allocated area).
pmp->pm_inusemap is allocated in msdosfs_vfsops.c like this: bmapsiz = (pmp->pm_maxcluster + N_INUSEBITS - 1) / N_INUSEBITS; pmp->pm_inusemap = malloc(bmapsiz * sizeof(*pmp->pm_inusemap), M_MSDOSFSFAT, M_WAITOK | M_CANFAIL); and accessed in msdosfs_fat.c like this: for (cn = 0; cn < (pmp->pm_maxcluster + N_INUSEBITS) / N_INUSEBITS; cn++) Assignment of bmapsiz and for-condition should be equal, and actually resemble a resolved version of howmany macro (hint to my howmany mail ;)). Unfortunately "- 1" is missing in for-loop. This _can_ lead to out of boundary access, depending on actual pmp->pm_maxcluster value. Tobias Index: msdosfs_fat.c =================================================================== RCS file: /cvs/src/sys/msdosfs/msdosfs_fat.c,v retrieving revision 1.24 diff -u -p -r1.24 msdosfs_fat.c --- msdosfs_fat.c 11 Jun 2013 16:42:16 -0000 1.24 +++ msdosfs_fat.c 16 Jun 2014 21:54:43 -0000 @@ -866,7 +866,7 @@ fillinusemap(struct msdosfsmount *pmp) * Mark all clusters in use, we mark the free ones in the fat scan * loop further down. */ - for (cn = 0; cn < (pmp->pm_maxcluster + N_INUSEBITS) / N_INUSEBITS; cn++) + for (cn = 0; cn < (pmp->pm_maxcluster + N_INUSEBITS - 1) / N_INUSEBITS; cn++) pmp->pm_inusemap[cn] = (u_int)-1; /*