mtd/fs/jffs2 readinode.c,1.145,1.146
Artem Bityutskiy
dedekind at infradead.org
Fri Jan 6 08:51:25 EST 2006
Update of /home/cvs/mtd/fs/jffs2
In directory phoenix.infradead.org:/tmp/cvs-serv32559/fs/jffs2
Modified Files:
readinode.c
Log Message:
[JFFS2] Bugfix: don't use freed objects
'this' points to the 'struct rb_node rb' filed of the 'tn' object. 'tn' is
freed, then 'this' pointer is dereferenced ('this = this->rb_parent'). If
somebody re-used 'tn' before the dereference operation, the system may crash.
So the fix: first, dereference 'this', then free 'tn'.
Index: readinode.c
===================================================================
RCS file: /home/cvs/mtd/fs/jffs2/readinode.c,v
retrieving revision 1.145
retrieving revision 1.146
diff -u -r1.145 -r1.146
--- readinode.c 11 Nov 2005 14:29:12 -0000 1.145
+++ readinode.c 6 Jan 2006 13:51:22 -0000 1.146
@@ -63,10 +63,12 @@
this = this->rb_right;
else {
tn = rb_entry(this, struct jffs2_tmp_dnode_info, rb);
+
+ this = this->rb_parent;
+
jffs2_free_full_dnode(tn->fn);
jffs2_free_tmp_dnode_info(tn);
- this = this->rb_parent;
if (!this)
break;
More information about the linux-mtd-cvs
mailing list