[Bug 231116] Out of bounds memory access in blist_create()

Mon Sep 3 18:46:41 UTC 2018

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231116

Mark Johnston <markj at FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |markj at FreeBSD.org

--- Comment #2 from Mark Johnston <markj at FreeBSD.org> ---
It happens with blist_create(128, 1) too.  In that case, we need two leaf
nodes, an internal parent node, and a terminator.  However, we end up with
nodes == 3 since last_block < blocks.  That is, we're missing a case where
nodes should be initialized to 2 instead of 1.  The problem is triggered when
"blocks" is the sum of powers of 2 >= BLIST_BMAP_RADIX.

Index: subr_blist.c
===================================================================
--- subr_blist.c        (revision 338446)
+++ subr_blist.c        (working copy)
@@ -244,7 +244,10 @@
         * Count the meta-nodes in the expanded tree, including the final
         * terminator, from the bottom level up to the root.
         */
-       nodes = (last_block >= blocks) ? 2 : 1;
+       nodes = 1;
+       if (last_block >= blocks || (last_block != radix - 1 &&
+           (last_block & (radix - 1)) == last_block))
+               nodes++;
        last_block /= BLIST_BMAP_RADIX;
        while (last_block > 0) {
                nodes += last_block + 1;

-- 
You are receiving this mail because:
You are the assignee for the bug.
