From wosch@apfel.de  Sun Apr 27 14:34:25 1997
Received: from bsd.fs.bauing.th-darmstadt.de (bsd.fs.bauing.th-darmstadt.de [130.83.63.241])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA00470
          for <FreeBSD-gnats-submit@freebsd.org>; Sun, 27 Apr 1997 14:34:24 -0700 (PDT)
Received: from campa.panke.de (anonymous224.ppp.cs.tu-berlin.de [130.149.17.224])
	by bsd.fs.bauing.th-darmstadt.de (8.8.5/8.8.5) with ESMTP id XAA00955
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 27 Apr 1997 23:34:21 +0200 (MET DST)
Received: (from wosch@localhost) by campa.panke.de (8.8.5/8.6.12) id XAA07815; Sun, 27 Apr 1997 23:07:55 +0200 (MET DST)
Message-Id: <199704272107.XAA07815@campa.panke.de>
Date: Sun, 27 Apr 1997 23:07:55 +0200 (MET DST)
From: Wolfram Schneider <wosch@apfel.de>
To: FreeBSD-gnats-submit@freebsd.org
Subject: off by one error in ffs_alloc
X-Send-Pr-Version: 3.2

>Number:         3398
>Category:       kern
>Synopsis:       off by one error in ffs_alloc
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Apr 27 14:40:00 PDT 1997
>Closed-Date:    Thu Sep 18 11:07:53 PDT 1997
>Last-Modified:  Thu Sep 18 11:11:19 PDT 1997
>Originator:     Wolfram Schneider
>Release:        FreeBSD 2.2-RELEASE i386
>Organization:
>Environment:
>Description:


Ffs_alloc allow users to write one block beyond the limit.

# An almost full file system
$ df /
Filesystem  1K-blocks     Used    Avail Capacity  Mounted on
/dev/sd0a       32254    29672        2   100%    /

# write 8KByte
$ dd if=/dev/zero of=/var/tmp/test2 bs=8k count=1;

# Avail is 6Kbyte beyond the limit
$ df /
Filesystem  1K-blocks     Used    Avail Capacity  Mounted on
/dev/sd0a       32254    29680       -6   100%    /


>How-To-Repeat:
>Fix:
Reading the source the problem seems to bee in
ffs_alloc.c line 120.

Index: ffs_alloc.c
===================================================================
RCS file: /usr/cvs/src/sys/ufs/ffs/ffs_alloc.c,v
retrieving revision 1.33
diff -u -r1.33 ffs_alloc.c
--- ffs_alloc.c	1997/03/23 20:08:16	1.33
+++ ffs_alloc.c	1997/04/27 20:58:26
@@ -120,7 +120,7 @@
 #endif /* DIAGNOSTIC */
 	if (size == fs->fs_bsize && fs->fs_cstotal.cs_nbfree == 0)
 		goto nospace;
-	if (cred->cr_uid != 0 && freespace(fs, fs->fs_minfree) <= 0)
+	if (cred->cr_uid != 0 && freespace(fs, fs->fs_minfree) - size < 0)
 		goto nospace;
 #ifdef QUOTA
 	error = chkdq(ip, (long)btodb(size), cred, 0);


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: phk 
State-Changed-When: Thu Sep 18 11:07:53 PDT 1997 
State-Changed-Why:  
applied the patch, thankyou! 
>Unformatted:
