Re: Serious devpts bug (still not fixed)

Bill Hawes (whawes@star.net)
Fri, 11 Sep 1998 13:04:44 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Mike: "Re: 2.1.120 report [misc. stuff/longish]"
Previous message: Mark Gray: "Re: Very poor TCP/SACK performance"
Maybe in reply to: Duncan Simpson: "Serious devpts bug (still not fixed)"

Duncan Simpson wrote:
>
> I tried to report this bug a while back but it is still at large. At the
> end of fs/devpts/root.c it says
>
> dentry->d_inode = sbi->inodes[entry];
> if ( dentry->d_inode )
> dentry->d_inode->i_count++;
>
> Sadly it only checks that the filename is all 0 to 9 and has no leading 0s.
> There is no check that entry is small enough to be a legimate index of
> the sbi->inodes[]. Since the default is 256 and most people go with that
> cat /dev/pts/666 is normal lethal. If you are unluckly dentry->d_inode contains
> some really lethal screwy data and the dentry->d_inode->i_count++ screws
> some important data structure somewhere.
>
> I changed by kernel to say
> if (entry<sbi->max_ptys) /* Check range of number */
> {
> dentry->d_inode = sbi->inodes[entry];
> if ( dentry->d_inode )
> dentry->d_inode->i_count++;
> }
> instead so if entry is too big dentry stays NULL and the naughty memory
> reference does not happen.

Hi Duncan,

When you've found and fixed a bug, please submit it as a patch so that
it's easy for others to examine and test. Just do a

diff -u old_file new_file >patch_file

and then post it with an explanation of the problem.

Regards,
Bill

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/faq.html

Next message: Mike: "Re: 2.1.120 report [misc. stuff/longish]"
Previous message: Mark Gray: "Re: Very poor TCP/SACK performance"
Maybe in reply to: Duncan Simpson: "Serious devpts bug (still not fixed)"