Re: [CHECKER] 74 potential buffer overruns in 2.5.33

From: Nikita Danilov (Nikita@Namesys.COM)
Date: Wed Nov 20 2002 - 03:53:37 EST


Andy Chou writes:
> Here are 74 out-of-bounds array accesses in Linux 2.5.33 found by the
> MC checker. This checker only considers statically allocated arrays
> with indices that can be calculated at compile time.
>
> The code fragment in each description below is incomplete; you'll need
> to look at the source in some cases to determine if the report is
> really a bug.
>
> We'd appreciate any feedback -- even if it's not a bug.
>
> -Andy Chou
>
>
> # BUGs | File Name
> 4 | /isdn/isdn_common.c
> 4 | /message/i2o_block.c
> 4 | /net/sch_gred.c

[...]

> ---------------------------------------------------------
> [BUG] Not really sure. Maybe just missing an assert?
> /home/acc/linux/2.5.33/fs/reiserfs/fix_node.c:2400:fix_nodes:
> ERROR:BUFFER:2400:2400:Array bounds error: p_s_tb->insert_size[5] indexed
> with [5]
> become the root node. */
>
> RFALSE( n_h == MAX_HEIGHT - 1,
> "PAP-8355: attempt to create too high of a
> tree");

RFALSE asserts that (n_h == MAX_HEIGHT - 1) is false. It is only
compiled conditionally, though. Hmm, and trees are rather tall than high.

>
>
> Error --->
> p_s_tb->insert_size[n_h + 1] = (DC_SIZE + KEY_SIZE) *
> (p_s_tb->blknum[n_h] - 1) + DC_SIZE;
> }
> else
> if ( n_h < MAX_HEIGHT - 1 )

Nikita.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Sat Nov 23 2002 - 22:00:31 EST