]>
Commit | Line | Data |
---|---|---|
00e5a55c BS |
1 | From: Jeff Mahoney <jeffm@suse.com> |
2 | Subject: [PATCH] reiserfs: prepare_error_buf wrongly consumes va_arg | |
3 | ||
4 | vsprintf will consume varargs on its own. Skipping them manually | |
5 | results in garbage in the error buffer, or Oopses in the case of | |
6 | pointers. | |
7 | ||
8 | This patch removes the advancement and fixes a number of bugs where | |
9 | crashes were observed as side effects of a regular error report. | |
10 | ||
11 | Signed-off-by: Jeff Mahoney <jeffm@suse.com> | |
12 | --- | |
13 | ||
14 | fs/reiserfs/prints.c | 12 +++--------- | |
15 | 1 file changed, 3 insertions(+), 9 deletions(-) | |
16 | ||
17 | --- a/fs/reiserfs/prints.c | |
18 | +++ b/fs/reiserfs/prints.c | |
19 | @@ -157,19 +157,16 @@ static void sprintf_disk_child(char *buf | |
20 | dc_size(dc)); | |
21 | } | |
22 | ||
23 | -static char *is_there_reiserfs_struct(char *fmt, int *what, int *skip) | |
24 | +static char *is_there_reiserfs_struct(char *fmt, int *what) | |
25 | { | |
26 | char *k = fmt; | |
27 | ||
28 | - *skip = 0; | |
29 | - | |
30 | while ((k = strchr(k, '%')) != NULL) { | |
31 | if (k[1] == 'k' || k[1] == 'K' || k[1] == 'h' || k[1] == 't' || | |
32 | k[1] == 'z' || k[1] == 'b' || k[1] == 'y' || k[1] == 'a') { | |
33 | *what = k[1]; | |
34 | break; | |
35 | } | |
36 | - (*skip)++; | |
37 | k++; | |
38 | } | |
39 | return k; | |
40 | @@ -193,18 +190,15 @@ static void prepare_error_buf(const char | |
41 | char *fmt1 = fmt_buf; | |
42 | char *k; | |
43 | char *p = error_buf; | |
44 | - int i, j, what, skip; | |
45 | + int what; | |
46 | ||
47 | strcpy(fmt1, fmt); | |
48 | ||
49 | - while ((k = is_there_reiserfs_struct(fmt1, &what, &skip)) != NULL) { | |
50 | + while ((k = is_there_reiserfs_struct(fmt1, &what)) != NULL) { | |
51 | *k = 0; | |
52 | ||
53 | p += vsprintf(p, fmt1, args); | |
54 | ||
55 | - for (i = 0; i < skip; i++) | |
56 | - j = va_arg(args, int); | |
57 | - | |
58 | switch (what) { | |
59 | case 'k': | |
60 | sprintf_le_key(p, va_arg(args, struct reiserfs_key *)); |