From owner-freebsd-bugs Sun Apr 27 14:40:03 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id OAA00888 for bugs-outgoing; Sun, 27 Apr 1997 14:40:03 -0700 (PDT) Received: (from gnats@localhost) by hub.freebsd.org (8.8.5/8.8.5) id OAA00882; Sun, 27 Apr 1997 14:40:01 -0700 (PDT) Resent-Date: Sun, 27 Apr 1997 14:40:01 -0700 (PDT) Resent-Message-Id: <199704272140.OAA00882@hub.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, Received:"from bsd.fs.bauing.th-darmstadt.de (bsd.fs.bauing.th-darmstadt.de [130.83.63.241]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA00470 for" ; Sun, 27 Apr 1997 14:34:24.-0700 (PDT) Received: from campa.panke.de (anonymous224.ppp.cs.tu-berlin.de [130.149.17.224]) by bsd.fs.bauing.th-darmstadt.de (8.8.5/8.8.5) with ESMTP id XAA00955 for ; Sun, 27 Apr 1997 23:34:21 +0200 (MET DST) Received: (from wosch@localhost) by campa.panke.de (8.8.5/8.6.12) id XAA07815; Sun, 27 Apr 1997 23:07:55 +0200 (MET DST) Message-Id: <199704272107.XAA07815@campa.panke.de> Date: Sun, 27 Apr 1997 23:07:55 +0200 (MET DST) From: Wolfram Schneider To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: kern/3398: off by one error in ffs_alloc Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 3398 >Category: kern >Synopsis: off by one error in ffs_alloc >Confidential: yes >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Apr 27 14:40:00 PDT 1997 >Last-Modified: >Originator: Wolfram Schneider >Organization: >Release: FreeBSD 2.2-RELEASE i386 >Environment: >Description: Ffs_alloc allow users to write one block beyond the limit. # An almost full file system $ df / Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/sd0a 32254 29672 2 100% / # write 8KByte $ dd if=/dev/zero of=/var/tmp/test2 bs=8k count=1; # Avail is 6Kbyte beyond the limit $ df / Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/sd0a 32254 29680 -6 100% / >How-To-Repeat: >Fix: Reading the source the problem seems to bee in ffs_alloc.c line 120. Index: ffs_alloc.c =================================================================== RCS file: /usr/cvs/src/sys/ufs/ffs/ffs_alloc.c,v retrieving revision 1.33 diff -u -r1.33 ffs_alloc.c --- ffs_alloc.c 1997/03/23 20:08:16 1.33 +++ ffs_alloc.c 1997/04/27 20:58:26 @@ -120,7 +120,7 @@ #endif /* DIAGNOSTIC */ if (size == fs->fs_bsize && fs->fs_cstotal.cs_nbfree == 0) goto nospace; - if (cred->cr_uid != 0 && freespace(fs, fs->fs_minfree) <= 0) + if (cred->cr_uid != 0 && freespace(fs, fs->fs_minfree) - size < 0) goto nospace; #ifdef QUOTA error = chkdq(ip, (long)btodb(size), cred, 0); >Audit-Trail: >Unformatted: