Date: Sun, 27 Apr 1997 23:07:55 +0200 (MET DST) From: Wolfram Schneider <wosch@apfel.de> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/3398: off by one error in ffs_alloc Message-ID: <199704272107.XAA07815@campa.panke.de> Resent-Message-ID: <199704272140.OAA00882@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 3398 >Category: kern >Synopsis: off by one error in ffs_alloc >Confidential: yes >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Apr 27 14:40:00 PDT 1997 >Last-Modified: >Originator: Wolfram Schneider >Organization: >Release: FreeBSD 2.2-RELEASE i386 >Environment: >Description: Ffs_alloc allow users to write one block beyond the limit. # An almost full file system $ df / Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/sd0a 32254 29672 2 100% / # write 8KByte $ dd if=/dev/zero of=/var/tmp/test2 bs=8k count=1; # Avail is 6Kbyte beyond the limit $ df / Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/sd0a 32254 29680 -6 100% / >How-To-Repeat: >Fix: Reading the source the problem seems to bee in ffs_alloc.c line 120. Index: ffs_alloc.c =================================================================== RCS file: /usr/cvs/src/sys/ufs/ffs/ffs_alloc.c,v retrieving revision 1.33 diff -u -r1.33 ffs_alloc.c --- ffs_alloc.c 1997/03/23 20:08:16 1.33 +++ ffs_alloc.c 1997/04/27 20:58:26 @@ -120,7 +120,7 @@ #endif /* DIAGNOSTIC */ if (size == fs->fs_bsize && fs->fs_cstotal.cs_nbfree == 0) goto nospace; - if (cred->cr_uid != 0 && freespace(fs, fs->fs_minfree) <= 0) + if (cred->cr_uid != 0 && freespace(fs, fs->fs_minfree) - size < 0) goto nospace; #ifdef QUOTA error = chkdq(ip, (long)btodb(size), cred, 0); >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199704272107.XAA07815>