Re: [PATCH v2 2/2] hfs/hfsplus: zero-initialize buffer in hfs_bnode_read

Next message: Rob Herring (Arm): "Re: [PATCH v4 2/5] dt-bindings: leds: leds-is31fl32xx: add support for is31fl3236a"
Previous message: David Carlier: "[PATCH v2] phy: apple: atc: Fix typec switch/mux leak on unbind"
In reply to: Viacheslav Dubeyko: "Re: [PATCH v2 2/2] hfs/hfsplus: zero-initialize buffer in hfs_bnode_read"
Next in thread: Viacheslav Dubeyko: "Re: [PATCH v2 2/2] hfs/hfsplus: zero-initialize buffer in hfs_bnode_read"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tristan Madani

Date: Thu May 07 2026 - 12:38:32 EST

On Wed, 2026-05-06 at 12:23 -0700, Viacheslav Dubeyko wrote:
> We are returning back to the same my question. What if the caller of
> hfs_bnode_read() provides the len == 0 somehow but the buffer has not zero size
> on the caller side? I assume that memset() will do nothing and the buffer still
> be not initialized. Am I correct here?

You are correct that memset(buf, 0, 0) is a no-op. But if the caller
passes len == 0, it is asking to read zero bytes -- it should not
expect the function to initialize anything beyond that.

The bug this fixes is different: callers pass a non-zero len (e.g.
hfs_bnode_read_u16 passes 2, hfs_bnode_read_u8 passes 1), but
check_and_correct_requested_length() internally reduces the effective
read to 0 due to a corrupted image. The memset runs with the original
caller-supplied len before any internal validation, so the buffer is
already zeroed by the time the early-return happens.

No current caller passes len == 0 -- hfs_bnode_read_u16() always
passes 2, hfs_bnode_read_u8() always passes 1, and hfs_bnode_read_key()
passes a key_len that is validated against the btree key size.

Thanks,
Tristan