NetBSD Problem Report #38431

From yamt@mwd.biglobe.ne.jp  Tue Apr 15 07:41:11 2008
Return-Path: <yamt@mwd.biglobe.ne.jp>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id 48C2263B293
	for <gnats-bugs@gnats.NetBSD.org>; Tue, 15 Apr 2008 07:41:11 +0000 (UTC)
Message-Id: <20080415074108.A51B511704@yamt.dyndns.org>
Date: Tue, 15 Apr 2008 16:41:08 +0900 (JST)
From: yamt@mwd.biglobe.ne.jp
Reply-To: yamt@mwd.biglobe.ne.jp
To: gnats-bugs@gnats.NetBSD.org
Subject: getparts in dkwedge_mbr.c seems to use stale data
X-Send-Pr-Version: 3.95

>Number:         38431
>Category:       kern
>Synopsis:       getparts in dkwedge_mbr.c seems to use stale data
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Apr 15 07:45:00 +0000 2008
>Last-Modified:  Tue Apr 15 17:20:02 +0000 2008
>Originator:     YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
>Release:        NetBSD 4.99.59
>Organization:

>Environment:


Architecture: i386
Machine: i386
>Description:
	getparts() recursively calls getparts(), which overwrites the
	contents of a->buf.  note that 'dp' is still pointing to a->buf
	and will be used in the following iteration of the loop.

		/* Recursively scan extended partitions. */
		for (i = 0; i < MBR_PART_COUNT; i++) {
			uint32_t poff;

			if (MBR_IS_EXTENDED(dp[i].mbrp_type)) {
				poff = le32toh(dp[i].mbrp_start) + extoff;
				getparts(a, poff, extoff ? extoff : poff);
			}
		}

>How-To-Repeat:
	code inspection.
>Fix:


>Audit-Trail:
From: David Laight <david@l8s.co.uk>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/38431: getparts in dkwedge_mbr.c seems to use stale data
Date: Tue, 15 Apr 2008 18:16:28 +0100

 On Tue, Apr 15, 2008 at 07:45:00AM +0000, yamt@mwd.biglobe.ne.jp wrote:
 > >Number:         38431
 > >Synopsis:       getparts in dkwedge_mbr.c seems to use stale data
 ...
 > >Description:
 > 	getparts() recursively calls getparts(), which overwrites the
 > 	contents of a->buf.

 It is probably worth pointing out that the extended partition table
 is a linked list, not a 4-way tree.
 This means the code should be using an interative parser (like all
 the other code that reads mbr tables).

 	David

 -- 
 David Laight: david@l8s.co.uk

>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.