From: Sitsofe Wheeler <sitsofe@yahoo.com>
Date: Thu, 13 Feb 2014 07:06:40 +0000 (+0000)
Subject: io_u_qiter: Fix buffer overrun
X-Git-Tag: fio-2.1.6~40
X-Git-Url: https://git.kernel.dk/?a=commitdiff_plain;h=6a7a92156a09ff66fd3e0ea062f2cdb339ca73c5;p=fio.git

io_u_qiter: Fix buffer overrun

In io_u_queue.h the io_u_qiter macro is loops around io_u_queue
structures. The problem comes with the end of loop initialisation:
i++, io_u = (q)->io_us[i]
For example, if io_us consists of one element and i is 0 then after the
first iteration is completed i++, io_u = (q)->io_us[i] will access
beyond the end of io_us.

Fix this by moving io_u initialisation to the expression part of the for
loop (yuck).

Found by Dr Memory.

Signed-off-by: Sitsofe Wheeler <sitsofe@yahoo.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
---

diff --git a/io_u_queue.h b/io_u_queue.h
index 4f6e8e6a..5b6cad0e 100644
--- a/io_u_queue.h
+++ b/io_u_queue.h
@@ -29,7 +29,7 @@ static inline int io_u_qempty(struct io_u_queue *q)
 }
 
 #define io_u_qiter(q, io_u, i)	\
-	for (i = 0, io_u = (q)->io_us[0]; i < (q)->nr; i++, io_u = (q)->io_us[i])
+	for (i = 0; i < (q)->nr && (io_u = (q)->io_us[i]); i++)
 
 int io_u_qinit(struct io_u_queue *q, unsigned int nr);
 void io_u_qexit(struct io_u_queue *q);