Please review RTEMS JFFS2 Adapter Issue
Gedare Bloom
gedare at rtems.org
Tue Nov 25 19:48:32 UTC 2014
Sebastian will have to comment, but it looks like the inner path is
not expected to be taken the first time through, i.e. you might add:
assert(root_i->i_count > 0);
-Gedare
On Tue, Nov 25, 2014 at 2:30 PM, Joel Sherrill
<joel.sherrill at oarcorp.com> wrote:
> Hi
>
> Coverity Id 1255348 in fs-rtems.c can't be ignored on the grounds
> the JFFS2 project will see it.
>
> this->i_cache_prev->i_cache_next =
> this->i_cache_next;
> 84 jffs2_clear_inode(this);
> 85 memset(this, 0x5a, sizeof(*this));
>
> 15. freed_arg: free frees this. [Note: The source code implementation of the
> function has been overridden by a builtin model.]
> 86 free(this);
>
> 6. Condition parent, taking true branch
>
> 7. Condition parent != this, taking true branch
>
> 16. Condition parent, taking true branch
>
> 17. Condition parent != this, taking true branch
> 87 if (parent && parent != this) {
> 88 parent->i_count--;
>
> 8. alias: Assigning: this = root_i. Now both point to the same storage.
>
> CID 1255348 (#1-2 of 2): Use after free (USE_AFTER_FREE)18. use_after_free:
> Using freed pointer root_i.
> 89 this = root_i;
>
> 9. Jumping to label restart
> 90 goto restart;
> 91 }
>
> --
> Joel Sherrill, Ph.D. Director of Research & Development
> joel.sherrill at OARcorp.com On-Line Applications Research
> Ask me about RTEMS: a free RTOS Huntsville AL 35805
> Support Available (256) 722-9985
>
>
> _______________________________________________
> devel mailing list
> devel at rtems.org
> http://lists.rtems.org/mailman/listinfo/devel
More information about the devel
mailing list