diff mbox

[OpenWrt-Devel,1/5] uloop: fix out-of-bound loop index.

Message ID 1421846488-323-1-git-send-email-yszhou4tech@gmail.com
State Rejected
Headers show

Commit Message

Yousong Zhou Jan. 21, 2015, 1:21 p.m. UTC 
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
---
 uloop.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

Comments

Felix Fietkau Jan. 21, 2015, 6:58 p.m. UTC | #1 
On 2015-01-21 14:21, Yousong Zhou wrote:
> Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
> ---
>  uloop.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/uloop.c b/uloop.c
> index 9a77ce4..3224f4b 100644
> --- a/uloop.c
> +++ b/uloop.c
> @@ -394,11 +394,11 @@ int uloop_fd_delete(struct uloop_fd *fd)
>  {
>  	int i;
>  
> -	for (i = 0; i < cur_nfds; i++) {
> -		if (cur_fds[cur_fd + i].fd != fd)
> +	for (i = cur_fd; i < cur_nfds; i++) {
> +		if (cur_fds[i].fd != fd)
This patch (aside from the fact that it's completely missing an
explanation) seems wrong to me.
cur_nfds really means the number of file descriptors in the struct, not
the array size starting at 0.
Take a look at uloop_run_events - when it increments cur_fd, it also
decrements cur_nfds.

- Felix
Yousong Zhou Jan. 22, 2015, 12:01 p.m. UTC | #2 
On 22 January 2015 at 02:58, Felix Fietkau <nbd@openwrt.org> wrote:
> On 2015-01-21 14:21, Yousong Zhou wrote:
>> Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
>> ---
>>  uloop.c | 6 +++---
>>  1 file changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git a/uloop.c b/uloop.c
>> index 9a77ce4..3224f4b 100644
>> --- a/uloop.c
>> +++ b/uloop.c
>> @@ -394,11 +394,11 @@ int uloop_fd_delete(struct uloop_fd *fd)
>>  {
>>       int i;
>>
>> -     for (i = 0; i < cur_nfds; i++) {
>> -             if (cur_fds[cur_fd + i].fd != fd)
>> +     for (i = cur_fd; i < cur_nfds; i++) {
>> +             if (cur_fds[i].fd != fd)
> This patch (aside from the fact that it's completely missing an
> explanation) seems wrong to me.
> cur_nfds really means the number of file descriptors in the struct, not
> the array size starting at 0.
> Take a look at uloop_run_events - when it increments cur_fd, it also
> decrements cur_nfds.
>

Yes, I got the point now.  Thanks for the clarification.

> - Felix
diff mbox

Patch

diff --git a/uloop.c b/uloop.c
index 9a77ce4..3224f4b 100644
--- a/uloop.c
+++ b/uloop.c
@@ -394,11 +394,11 @@  int uloop_fd_delete(struct uloop_fd *fd)
 {
 	int i;
 
-	for (i = 0; i < cur_nfds; i++) {
-		if (cur_fds[cur_fd + i].fd != fd)
+	for (i = cur_fd; i < cur_nfds; i++) {
+		if (cur_fds[i].fd != fd)
 			continue;
 
-		cur_fds[cur_fd + i].fd = NULL;
+		cur_fds[i].fd = NULL;
 	}
 
 	if (!fd->registered)