From owner-freebsd-security@FreeBSD.ORG Tue Apr 5 08:14:20 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B87F116A4CE for ; Tue, 5 Apr 2005 08:14:20 +0000 (GMT) Received: from gen129.n001.c02.escapebox.net (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3319343D54 for ; Tue, 5 Apr 2005 08:14:20 +0000 (GMT) (envelope-from gemini@geminix.org) Message-ID: <425248D8.1040508@geminix.org> Date: Tue, 05 Apr 2005 10:14:16 +0200 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.6) Gecko/20050326 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <200504050009.j35099Zr068123@freefall.freebsd.org> In-Reply-To: <200504050009.j35099Zr068123@freefall.freebsd.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Received: from gemini by geminix.org with asmtp (TLSv1:AES256-SHA:256) (Exim 3.36 #1) id 1DIjCU-0004Hp-00; Tue, 05 Apr 2005 10:14:18 +0200 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:02.sendfile X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2005 08:14:20 -0000 FreeBSD Security Advisories wrote: > [...] > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 4.x] > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:02/sendfile_4.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:02/sendfile_4.patch.asc > [...] The patch file (and CVS, too) contains this: --------------------- cut here ---------------------- --- sys/ufs/ffs/ffs_inode.c 5 Feb 2002 18:35:03 -0000 1.56.2.5 +++ sys/ufs/ffs/ffs_inode.c 11 Mar 2005 14:29:19 -0000 @@ -197,6 +197,7 @@ #endif softdep_setup_freeblocks(oip, length); vinvalbuf(ovp, 0, cred, p, 0, 0); + vnode_pager_setsize(vp, 0); oip->i_flag |= IN_CHANGE | IN_UPDATE; return (ffs_update(ovp, 0)); } --------------------- cut here ---------------------- I wonder, isn't the variable 'vp' actually supposed to be 'ovp' in the added line? Technically they are identical. 'ovp' is assigned from 'vp' once in the variable definition section at the start of the function. However, using 'vp' when calling vnode_pager_setsize() looks a little odd given that anywhere else in this function, including another call to vnode_pager_setsize(), the variable 'ovp' is used instead of 'vp'. I can't tell why 'ovp' was introduced in the first place. Might have historical reasons. But that's how the code currently works. In the MAIN branch as well, according to CVS. So I'd suggest to replace 'vp' with 'ovp' in the patch above, for the sake of clarity and consistency. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net