On Tue, Nov 25, 2014 at 2:48 PM, Gedare Bloom <ged...@rtems.org> wrote:
> Sebastian will have to comment, but it looks like the inner path is
> not expected to be taken the first time through, i.e. you might add:
> assert(root_i->i_count > 0);
>
P.S. the function has a FIXME at the top suggesting it should be done
a different way, but how is not clear.
> -Gedare
>
> On Tue, Nov 25, 2014 at 2:30 PM, Joel Sherrill
> <joel.sherr...@oarcorp.com> wrote:
>> Hi
>>
>> Coverity Id 1255348 in fs-rtems.c can't be ignored on the grounds
>> the JFFS2 project will see it.
>>
>> this->i_cache_prev->i_cache_next =
>> this->i_cache_next;
>> 84 jffs2_clear_inode(this);
>> 85 memset(this, 0x5a, sizeof(*this));
>>
>> 15. freed_arg: free frees this. [Note: The source code implementation of the
>> function has been overridden by a builtin model.]
>> 86 free(this);
>>
>> 6. Condition parent, taking true branch
>>
>> 7. Condition parent != this, taking true branch
>>
>> 16. Condition parent, taking true branch
>>
>> 17. Condition parent != this, taking true branch
>> 87 if (parent && parent != this) {
>> 88 parent->i_count--;
>>
>> 8. alias: Assigning: this = root_i. Now both point to the same storage.
>>
>> CID 1255348 (#1-2 of 2): Use after free (USE_AFTER_FREE)18. use_after_free:
>> Using freed pointer root_i.
>> 89 this = root_i;
>>
>> 9. Jumping to label restart
>> 90 goto restart;
>> 91 }
>>
>> --
>> Joel Sherrill, Ph.D. Director of Research & Development
>> joel.sherr...@oarcorp.com On-Line Applications Research
>> Ask me about RTEMS: a free RTOS Huntsville AL 35805
>> Support Available (256) 722-9985
>>
>>
>> _______________________________________________
>> devel mailing list
>> devel@rtems.org
>> http://lists.rtems.org/mailman/listinfo/devel
_______________________________________________
devel mailing list
devel@rtems.org
http://lists.rtems.org/mailman/listinfo/devel
