[Drbd-dev] [PATCH] lib/lru_cache: Fixed array overflow caused by incorrect boundary handling.
Christoph Böhmwalder
christoph.boehmwalder at linbit.com
Mon Aug 1 17:40:52 CEST 2022
Am 23.07.22 um 09:59 schrieb John Sanpe:
> This problem occurs when malloc element failed on the first time.
> At this time, the counter i is 0. When it's released, we subtract 1
> in advance without checking, which will cause i to become UINT_MAX,
> resulting in array overflow.
>
> Signed-off-by: John Sanpe <sanpeqf at gmail.com>
> ---
> lib/lru_cache.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/lru_cache.c b/lib/lru_cache.c
> index 52313acbfa62..04d95de92602 100644
> --- a/lib/lru_cache.c
> +++ b/lib/lru_cache.c
> @@ -147,7 +147,7 @@ struct lru_cache *lc_create(const char *name, struct kmem_cache *cache,
> return lc;
>
> /* else: could not allocate all elements, give up */
> - for (i--; i; i--) {
> + while (i--) {
> void *p = element[i];
> kmem_cache_free(cache, p - e_off);
> }
Thanks for the fix, looks good to me.
Reviewed-by: Christoph Böhmwalder <christoph.boehmwalder at linbit.com>
--
Christoph Böhmwalder
LINBIT | Keeping the Digital World Running
DRBD HA — Disaster Recovery — Software defined Storage
More information about the drbd-dev
mailing list