[src/trunk]: src/sys/ufs/ufs Fix a preexisting array overrun and a preexistin...

[dholland <dholland%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/df43d5d75ae2
branches:  trunk
changeset: 773198:df43d5d75ae2
user:      dholland <dholland%NetBSD.org@localhost>
date:      Sun Jan 29 07:08:00 2012 +0000

description:
Fix a preexisting array overrun and a preexisting free twice exposed
by cleanup and testing.

diffstat:

 sys/ufs/ufs/ufs_quota2.c |  17 +++++++++--------
 1 files changed, 9 insertions(+), 8 deletions(-)

diffs (56 lines):

diff -r 81e25905a9b3 -r df43d5d75ae2 sys/ufs/ufs/ufs_quota2.c
--- a/sys/ufs/ufs/ufs_quota2.c  Sun Jan 29 07:07:22 2012 +0000
+++ b/sys/ufs/ufs/ufs_quota2.c  Sun Jan 29 07:08:00 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ufs_quota2.c,v 1.23 2012/01/29 07:07:22 dholland Exp $ */
+/* $NetBSD: ufs_quota2.c,v 1.24 2012/01/29 07:08:00 dholland Exp $ */
 /*-
   * Copyright (c) 2010 Manuel Bouyer
   * All rights reserved.
@@ -26,7 +26,7 @@
   */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ufs_quota2.c,v 1.23 2012/01/29 07:07:22 dholland Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ufs_quota2.c,v 1.24 2012/01/29 07:08:00 dholland Exp $");
 
 #include <sys/buf.h>
 #include <sys/param.h>
@@ -1000,7 +1000,7 @@
 
 struct getuids {
        long nuids; /* number of uids in array */
-       long size;  /* size of array */
+       long maxuids;  /* number of uids allocated */
        uid_t *uids; /* array of uids, dynamically allocated */
        long skip;
        long seen;
@@ -1013,6 +1013,7 @@
 {
        struct getuids *gu = v;
        uid_t *newuids;
+       long newmax;
 #ifdef FFS_EI
        const int needswap = UFS_MPNEEDSWAP(ump);
 #endif
@@ -1021,15 +1022,15 @@
                gu->skip--;
                return 0;
        }
-       if (gu->nuids == gu->size) {
-               newuids = realloc(gu->uids, gu->size + PAGE_SIZE, M_TEMP,
-                   M_WAITOK);
+       if (gu->nuids == gu->maxuids) {
+               newmax = gu->maxuids + PAGE_SIZE / sizeof(uid_t);
+               newuids = realloc(gu->uids, newmax * sizeof(gu->uids[0]),
+                   M_TEMP, M_WAITOK);
                if (newuids == NULL) {
-                       free(gu->uids, M_TEMP);
                        return ENOMEM;
                }
                gu->uids = newuids;
-               gu->size += (PAGE_SIZE / sizeof(uid_t));
+               gu->maxuids = newmax;
        }
        gu->uids[gu->nuids] = ufs_rw32(q2ep->q2e_uid, needswap);
        gu->nuids++;