Date: Thu, 25 Jan 1996 04:29:47 +1100 From: Bruce Evans <bde@zeta.org.au> To: bde@zeta.org.au, m_tanaka@pa.yokogawa.co.jp, mpp@mpp.minn.net Cc: freebsd-hackers@freebsd.org Subject: Re: NFS trouble ? Message-ID: <199601241729.EAA29129@godzilla.zeta.org.au>
next in thread | raw e-mail | index | archive | help
>>Index: nfs_bio.c
>>===================================================================
>>RCS file: /usr/var/cvs/src/sys/nfs/nfs_bio.c,v
>>retrieving revision 1.21
>>diff -u -r1.21 nfs_bio.c
>>--- nfs_bio.c 1995/12/17 21:12:13 1.21
>>+++ nfs_bio.c 1996/01/23 20:03:38
>>@@ -240,7 +240,8 @@
>> */
>> again:
>> bufsize = biosize;
>>- if ((lbn + 1) * biosize > np->n_size) {
>>+ if ((lbn + 1) * biosize > np->n_size &&
>>+ (lbn + 1) * biosize - np->n_size < biosize) {
>> bufsize = np->n_size - lbn * biosize;
>> bufsize = (bufsize + DEV_BSIZE - 1) & ~(DEV_BSIZE - 1);
>> }
>>--
>I think the changed should be
>>+ if ((off_t)(lbn + 1) * biosize > np->n_size) {
>There are several other similar potentially overflowing multiplications is
>nfs_bio.c.
Oops, it needs your fix too, although it might be better for it to crash
than for it to attempt to copy a 1TB holey file to a 1TB non-holey file.
It will probably do something bad for one of the overflows. There's
another one visible `(lbn * biosize)' and stupider ones a little later
`diff = np->n_size - uio->uio_offset;' where the LHS has type `int' and
the RHS has type u_quad_t (n_size has type u_quad_t and uio_offset has
type off_t which happens to be quad_t). Support for >= 2GB files should
be disabled until all the overflows are fixed.
Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199601241729.EAA29129>