Three years ago, in commit
68cb0aef (Introduce
afs_max_size_handler_data and afs_max_size_handler()) the afs callbacks
were converted to pass a pointer to an afs_max_size_handler_data
structure to the dispatcher. This structure is defined as
struct afs_max_size_handler_data {
int fd;
uint8_t band;
};
However, we missed to convert the callbacks of the three commands
mentioned in the subject. All these commands except init pass
a pointer to an int as they did before commit
68cb0aef. Since
afs_max_size_handler_data stores one additional byte (the band
designator) after the file descriptor, the dispatcher will read one
byte past the allocated space.
This bug is benign because the max size handler is usually not called
for the affected commands, since they never have more than SHMMAX
bytes of output. For com_init() we even set the private_data pointer
to NULL, so the max size handler will never be called.
Let's fix it anyway.
{
uint32_t table_mask = *(uint32_t *)query->data;
int i, ret;
- struct para_buffer pb = {.buf = NULL};
+ struct para_buffer pb = {
+ .max_size = shm_get_shmmax(),
+ .private_data = &(struct afs_max_size_handler_data) {
+ .fd = fd,
+ .band = SBD_OUTPUT
+ }
+ };
close_afs_tables();
for (i = 0; i < NUM_AFS_TABLES; i++) {
struct touch_action_data tad = {.cto = query->data,
.pb = {
.max_size = shm_get_shmmax(),
- .private_data = &fd,
+ .private_data = &(struct afs_max_size_handler_data) {
+ .fd = fd,
+ .band = SBD_OUTPUT
+ },
.max_size_handler = afs_max_size_handler
}
};
struct com_rm_action_data crd = {.flags = *(uint32_t *)query->data,
.pb = {
.max_size = shm_get_shmmax(),
- .private_data = &fd,
+ .private_data = &(struct afs_max_size_handler_data) {
+ .fd = fd,
+ .band = SBD_OUTPUT
+ },
.max_size_handler = afs_max_size_handler
}
};
.flags = *(unsigned *)query->data,
.pb = {
.max_size = shm_get_shmmax(),
- .private_data = &fd,
+ .private_data = &(struct afs_max_size_handler_data) {
+ .fd = fd,
+ .band = SBD_OUTPUT
+ },
.max_size_handler = afs_max_size_handler
}
};