diff options
| author | mckusick <mckusick@FreeBSD.org> | 2014-03-22 11:43:35 +0000 |
|---|---|---|
| committer | mckusick <mckusick@FreeBSD.org> | 2014-03-22 11:43:35 +0000 |
| commit | ae026680343a9bae46e2bb2e38961d9450a370c0 (patch) | |
| tree | d612b916fc2e9d4cdb5e9282d938051d9ad2bfa6 /sbin | |
| parent | 4cc5e3a4e513be11c65c86f07555d496ed75923f (diff) | |
| download | FreeBSD-src-ae026680343a9bae46e2bb2e38961d9450a370c0.zip FreeBSD-src-ae026680343a9bae46e2bb2e38961d9450a370c0.tar.gz | |
MFC of 263062:
Avoid segment fault when attempting to clean up cylinder group
buffer cache.
PR: 187221
Submitted by: Petr Lampa <lampa@fit.vutbr.cz>
Obtained from: Petr Lampa <lampa@fit.vutbr.cz>
MFC after: 1 week
MFC of 262488:
Arguments for malloc and calloc should be size_t, not int.
Use proper bounds check when trying to free cached memory.
Spotted by: Xin Li
Tested by: Dmitry Sivachenko
MFC after: 2 weeks
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/fsck_ffs/fsck.h | 4 | ||||
| -rw-r--r-- | sbin/fsck_ffs/fsutil.c | 18 |
2 files changed, 13 insertions, 9 deletions
diff --git a/sbin/fsck_ffs/fsck.h b/sbin/fsck_ffs/fsck.h index a7b5961..c0ec651 100644 --- a/sbin/fsck_ffs/fsck.h +++ b/sbin/fsck_ffs/fsck.h @@ -369,7 +369,7 @@ int flushentry(void); * to get space. */ static inline void* -Malloc(int size) +Malloc(size_t size) { void *retval; @@ -384,7 +384,7 @@ Malloc(int size) * to get space. */ static inline void* -Calloc(int cnt, int size) +Calloc(size_t cnt, size_t size) { void *retval; diff --git a/sbin/fsck_ffs/fsutil.c b/sbin/fsck_ffs/fsutil.c index 4b44fd4..bc80e2f 100644 --- a/sbin/fsck_ffs/fsutil.c +++ b/sbin/fsck_ffs/fsutil.c @@ -225,7 +225,7 @@ cgget(int cg) struct cg *cgp; if (cgbufs == NULL) { - cgbufs = Calloc(sblock.fs_ncg, sizeof(struct bufarea)); + cgbufs = calloc(sblock.fs_ncg, sizeof(struct bufarea)); if (cgbufs == NULL) errx(EEXIT, "cannot allocate cylinder group buffers"); } @@ -254,6 +254,8 @@ flushentry(void) { struct bufarea *cgbp; + if (flushtries == sblock.fs_ncg || cgbufs == NULL) + return (0); cgbp = &cgbufs[flushtries++]; if (cgbp->b_un.b_cg == NULL) return (0); @@ -434,13 +436,15 @@ ckfini(int markclean) } if (numbufs != cnt) errx(EEXIT, "panic: lost %d buffers", numbufs - cnt); - for (cnt = 0; cnt < sblock.fs_ncg; cnt++) { - if (cgbufs[cnt].b_un.b_cg == NULL) - continue; - flush(fswritefd, &cgbufs[cnt]); - free(cgbufs[cnt].b_un.b_cg); + if (cgbufs != NULL) { + for (cnt = 0; cnt < sblock.fs_ncg; cnt++) { + if (cgbufs[cnt].b_un.b_cg == NULL) + continue; + flush(fswritefd, &cgbufs[cnt]); + free(cgbufs[cnt].b_un.b_cg); + } + free(cgbufs); } - free(cgbufs); pbp = pdirbp = (struct bufarea *)0; if (cursnapshot == 0 && sblock.fs_clean != markclean) { if ((sblock.fs_clean = markclean) != 0) { |
