>> --- unionfs-20050920-1539/inode.cO 2005-09-21 04:39:03.000000000 +0900
>> +++ unionfs-20050920-1539/inode.c 2005-09-21 20:10:16.819341832 +0900
>> @@ -41,7 +41,7 @@
>> hidden_dentry = dtohd(dentry);
>>
>> /* check if whiteout exists in this branch, i.e. lookup .wh.foo first */
>> - name = KMALLOC(dentry->d_name.len + sizeof(".wh"), GFP_UNIONFS);
>> + name = KMALLOC(dentry->d_name.len + sizeof(".wh."), GFP_UNIONFS);
>
>I can't believe this. I have been reading that special part of inode.c
>several times during my 3 week debugging session, and did not notice the
>"off by one", maybe because the last byte of "name" is overwritten with
>a zero later. Also, I was searching more for uninitialized pointers or
>race conditions.
But! sizeof(".wh.") is actually 5, so... is it that we allocate one byte
too much now? (That would be the "string + size parameter" variant, as
opposed to "zero-terminated string", such as in maybe readlink().)
Jan Engelhardt
--
| Alphagate Systems, http://alphagate.hopto.org/
| jengelh's site, http://jengelh.hopto.org/
_______________________________________________
unionfs mailing list
[email protected]
http://www.fsl.cs.sunysb.edu/mailman/listinfo/unionfs
