Today's patches

Julien ÉLIE julien at trigofacile.com
Fri May 8 16:41:03 UTC 2015 

Hi Richard,

gcc warns about the new initialization { 0 }.  Shouldn't the struct
be initialized with as many "0" as there are elements in the struct?

art.c:448:24: warning: missing field 'data' initializer
      [-Wmissing-field-initializers]
  ARTHANDLE     arth = { 0 };



>>> Subject: [PATCH 2/3] Remove redundant (broken!) code
>>>
>>> The check was (i) off by one and (ii) can never happen, given the
>>> loop condition.
>>
>> At the end of the loop, we have:
>>
>>          parent = &entry->next.recno;
>>          current = *parent;
> 
> Yes - but that is too late for the call to entry_splice(), which is
> where the user-after-munmap (or use-after-free) would occur.  So parent
> must be recomputed somehow if a remap occurs.  The conservative way to
> do it would be just to start again from the top.

Suggestion of patch:

--- tradindexed/tdx-group.c	(révision 9852)
+++ tradindexed/tdx-group.c	(copie de travail)
@@ -359,7 +359,7 @@
        their next entry is entry 0.  We don't want to leave things in this
        state (particularly if this was the first expansion of the index file,
        in which case entry 0 points to entry 0 and our walking functions may
-       go into infinite loops.  Undo the file expansion. */
+       go into infinite loops).  Undo the file expansion. */
     if (!index_map(index)) {
         index->count -= 1024;
         if (ftruncate(index->fd, index_file_size(index->count)) < 0) {
@@ -558,11 +558,20 @@
     parent = &index->header->hash[index_bucket(hash)].recno;
     current = *parent;
 
-    while (current >= 0 && current < index->count) {
+    while (current >= 0) {
         struct group_entry *entry;
 
-        if (current > index->count && !index_maybe_remap(index, current))
-            return -1;
+        if (current >= index->count) {
+            if (!index_maybe_remap(index, current)) {
+                return -1;
+            }
+            parent = &index->header->hash[index_bucket(hash)].recno;
+            current = *parent;
+            if (current < 0 || current >= index->count) {
+                syswarn("tradindexed: entry %ld out of range", current);
+                return -1;
+            }
+        }
         entry = &index->entries[current];
         if (entry->deleted == 0)
             if (memcmp(&hash, &entry->hash, sizeof(hash)) == 0) {



-- 
Julien ÉLIE

« Vinum bonum laetificat cor hominis. »

More information about the inn-workers mailing list