On Fri, 25 May 2007 05:22:50 +0000 "young dave" <[email protected]> wrote:
> Hi,
>
> > Is this ntfs_init_locked_inode?
>
> Yes, it is.
>
> > > Bytes b4 0xc2959e28: 00 00 00 00 00 00 00 00 5a 5a 5a 5a 5a 5a 5a
> > > Object 0xc2959e38: 24 00 51 00 00 00 6b a5
> > > Redzone 0xc2959e40: 00 00 cc cc
> >
> > First two bytes after the object overwritten. The allocation for this
> > object should have been two bytes longer.
> >
> > > Last alloc: ntfs_init_locked_inode+0x9e/0x110 jiffies_ago=5140 cpu=0 pid=1604
> >
> > This is the function that allocated a too short object.
> >
>
> Only the last one byte of the string is zeroed, but It malloced 2
> more byte appended the string because size of thentfschar type is 2
> bytes , is this the reason? But why?
>
Thing is, ntfs_inode.name[] is an array of le16's. But local variable `i'
in there is a byte index, not an le16 index. We end up writing that 0x0000
at twice the intended offset.
So I think this was meant:
--- a/fs/ntfs/inode.c~a
+++ a/fs/ntfs/inode.c
@@ -140,7 +140,7 @@ static int ntfs_init_locked_inode(struct
if (!ni->name)
return -ENOMEM;
memcpy(ni->name, na->name, i);
- ni->name[i] = 0;
+ ni->name[na->name_len] = 0;
}
return 0;
}
_
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
