Skip to content

Commit

Permalink
libutils: brel: bugfix memset scope larger than expected
Browse files Browse the repository at this point in the history
In the case of wipe = true and previous buffer is free, memset
the current buffer, rather then current buffer with previous free
buffer.

Signed-off-by: Zengxx <zengxiaoxu@huawei.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Guangwei Zhou <zhouguangwei5@huawei.com>
  • Loading branch information
xiaoxuZeng authored and jforissier committed Oct 21, 2022
1 parent 825dff9 commit 0d4767a
Showing 1 changed file with 12 additions and 2 deletions.
14 changes: 12 additions & 2 deletions lib/libutils/isoc/bget.c
Original file line number Diff line number Diff line change
Expand Up @@ -922,6 +922,8 @@ void brel(buf, poolset, wipe)
int wipe;
{
struct bfhead *b, *bn;
char *wipe_start;
bufsize wipe_size;

b = BFH(((char *) buf) - sizeof(struct bhead));
#ifdef BufStats
Expand Down Expand Up @@ -984,6 +986,10 @@ void brel(buf, poolset, wipe)

register bufsize size = b->bh.bsize;

/* Only wipe the current buffer, including bfhead. */
wipe_start = (char *)b;
wipe_size = -size;

/* Make the previous buffer the one we're working on. */
assert(BH((char *) b - b->bh.prevfree)->bsize == b->bh.prevfree);
b = BFH(((char *) b) - b->bh.prevfree);
Expand All @@ -1000,6 +1006,9 @@ void brel(buf, poolset, wipe)
poolset->freelist.ql.blink = b;
b->ql.blink->ql.flink = b;
b->bh.bsize = -b->bh.bsize;

wipe_start = (char *)b + sizeof(struct bfhead);
wipe_size = b->bh.bsize - sizeof(struct bfhead);
}

/* Now we look at the next buffer in memory, located by advancing from
Expand Down Expand Up @@ -1028,10 +1037,11 @@ void brel(buf, poolset, wipe)
memory. */

bn = BFH(((char *) b) + b->bh.bsize);
/* Only bfhead of next buffer needs to be wiped */
wipe_size += sizeof(struct bfhead);
}
if (wipe) {
V memset_unchecked(((char *) b) + sizeof(struct bfhead), 0x55,
(MemSize) (b->bh.bsize - sizeof(struct bfhead)));
V memset_unchecked(wipe_start, 0x55, wipe_size);
}
assert(bn->bh.bsize < 0);

Expand Down

0 comments on commit 0d4767a

Please sign in to comment.