[systemd-bugs] [Bug 87305] New: kdbus: the slice size check in kdbus_pool_copy does not make sense

[bugzilla-daemon at freedesktop.org]

https://bugs.freedesktop.org/show_bug.cgi?id=87305

            Bug ID: 87305
           Summary: kdbus: the slice size check in kdbus_pool_copy does
                    not make sense
           Product: systemd
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
          Assignee: systemd-bugs at lists.freedesktop.org
          Reporter: mustrumr97 at gmail.com
        QA Contact: systemd-bugs at lists.freedesktop.org

It looks like the slice occupies pool[slice->off,slice->off+slice->size).

Therefore:
--- a/pool.c
+++ b/pool.c
@@ -644,7 +644,7 @@ static int kdbus_pool_copy(const struct kdbus_pool_slice
*slice,
        unsigned long rem = len;
        int ret = 0;

-       BUG_ON(off_dst + len > slice->size);
+       BUG_ON(len > slice->size);
        BUG_ON(slice->free);

        mutex_lock(&i_dst->i_mutex);


Confirmed, this makes my system less crash-prone (down to about 0% from 100%
crash probability).

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-bugs/attachments/20141214/b6893592/attachment.html>