|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH]mini-os: Bug in allocate_xenbus_id()
Hi Gregor,
in allocate_xenbus_id() the static variable probe never gets reset.
Therewidth id's >= NR_REQS are possible, which lead to an overflow in
req_info[] and may crash the mini-os.
Thanks.
Dietmar
Signed-off-by: Dietmar Hahn <dietmar.hahn@xxxxxxxxxxxxxxxxxxx>
# HG changeset patch
# User dietmar.hahn@xxxxxxxxxxxxxxxxxxx
# Date 1171877953 -3600
# Node ID 3d04558ad3d7e3811ac8c827bb876858bbb1c415
# Parent b5fc88aad1b0eb35d12e503982c70fdc27f0544a
Because probe never gets decremented (or reset), id >= NR_REQS is possible,
which may lead to a crash.
diff -r b5fc88aad1b0 -r 3d04558ad3d7 extras/mini-os/xenbus/xenbus.c
--- a/extras/mini-os/xenbus/xenbus.c Sun Feb 18 15:29:40 2007 +0000
+++ b/extras/mini-os/xenbus/xenbus.c Mon Feb 19 10:39:13 2007 +0100
@@ -210,7 +210,7 @@ static int allocate_xenbus_id(void)
}
nr_live_reqs++;
req_info[o_probe].in_use = 1;
- probe = o_probe + 1;
+ probe = (o_probe + 1) % NR_REQS;
spin_unlock(&req_lock);
init_waitqueue_head(&req_info[o_probe].waitq);
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |