Bug#741952: linux: Possible bug in 3.2's cifs/file.c, use of uninitialized variable
Source: linux
Version: 3.2.54-2
Hi,
In fs/cifs/file.c's cifs_iovec_write I believe that 'written'[1] can
be used while not initialized: it is initialized in the call to
CIFSSMBWrite2[2] but that code may not be run whenever
cifs_reopen_file fails with any error other than EAGAIN. In that case,
it would be used, uninitialized, to check it against 0[4] and then
used to modify a series of size_t, ssize_t, loff_t, etc.
I have not tried to follow what could actually happen in that case.
>From a quick look to cifs_reopen_file it appears that at least EACCES
and ENOMEM can be returned.
It would appear that this was fixed in 3.4 with the move to async
writes in da82f7e755d2808ba726c9b23267d5bb23980e94
[1]http://sources.debian.net/src/linux/3.2.54-2/fs/cifs/file.c#L2108
[2]http://sources.debian.net/src/linux/3.2.54-2/fs/cifs/file.c#L2190
[3]http://sources.debian.net/src/linux/3.2.54-2/fs/cifs/file.c#L2183
[4]http://sources.debian.net/src/linux/3.2.54-2/fs/cifs/file.c#L2197
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Reply to: