r24164: Fix for write cache corruption bug reported by Jean-Francois Panisset <paniss...
authorJeremy Allison <jra@samba.org>
Fri, 3 Aug 2007 16:51:43 +0000 (16:51 +0000)
committerGerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 17:29:17 +0000 (12:29 -0500)
Awaiting confirmation from reporter.
Jeremy.

source/smbd/fileio.c

index e797dbda14f68f6da5d7270d870fa555717cb617..76b29ec998dbf82bafce98baa075cb3229856a30 100644 (file)
@@ -508,15 +508,20 @@ nonop=%u allocated=%u active=%u direct=%u perfect=%u readhits=%u\n",
 
                        write_path = 3;
 
-                } else if ( (pos >= wcp->file_size) && 
+                } else if ( (pos >= wcp->file_size) &&
                            (n == 1) &&
-                           (pos < wcp->offset + 2*wcp->alloc_size) &&
-                           (wcp->file_size == wcp->offset + wcp->data_size)) {
+                           (wcp->file_size == wcp->offset + wcp->data_size) &&
+                           (pos < wcp->file_size + wcp->alloc_size)) {
 
                         /*
-                        +---------------+
-                        | Cached data   |
-                        +---------------+
+
+                End of file ---->|
+
+                 +---------------+---------------+
+                 | Cached data   | Cache buffer  |
+                 +---------------+---------------+
+
+                                 |<------- allocated size ---------------->|
 
                                                          +--------+
                                                          | 1 Byte |
@@ -524,13 +529,18 @@ nonop=%u allocated=%u active=%u direct=%u perfect=%u readhits=%u\n",
 
                        MS-Office seems to do this a lot to determine if there's enough
                        space on the filesystem to write a new file.
-                        */
 
-                       SMB_BIG_UINT new_start = wcp->offset + wcp->data_size;
+                       Change to :
+
+                End of file ---->|
+                                 +-----------------------+--------+
+                                 | Zeroed Cached data    | 1 Byte |
+                                 +-----------------------+--------+
+                        */
 
                        flush_write_cache(fsp, WRITE_FLUSH);
-                       wcp->offset = new_start;
-                       wcp->data_size = pos - new_start + 1;
+                       wcp->offset = wcp->file_size;
+                       wcp->data_size = pos - wcp->file_size + 1;
                        memset(wcp->data, '\0', wcp->data_size);
                        memcpy(wcp->data + wcp->data_size-1, data, 1);