|
Description
|
The dt_read function in md_mddb.c allocates a buffer to read in the data tags
from a replica. The number of bytes in the allocated buffer is MDDB_DT_BYTES,
a constant. A few lines later there is a for loop to read data from disk
into the buffer. The loop reads in lpp->lb_dtblkcnt blocks where lbp is a
pointer to a locator block (mddb_lb_t *). If it should ever happen that the
block ount in the locator block is greater than 1 (an admittedly unlikly event),
data will be written passed the end of the allocated buffer.
Note that the code has been running successfully for years, and I know no reason
why lb_dbblkcnt would ever be greater than 1. Still the call to kmem_zalloc and
the read loop should be using the same data.
xxxxx@xxxxx.com 2005-03-14 19:22:57 GMT
|