Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 18 Feb 2019 18:57:52 +0000 (UTC)
From:      Brooks Davis <brooks@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r344263 - stable/11/sbin/mdmfs
Message-ID:  <201902181857.x1IIvqC1075212@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: brooks
Date: Mon Feb 18 18:57:52 2019
New Revision: 344263
URL: https://svnweb.freebsd.org/changeset/base/344263

Log:
  MFC r344023:
  
  mdmfs: Fix many bugs in automatic md(4) creation.
  
  This code allocated a correctly sized buffer, read past the end of
  the source buffer, writing off the end of the target buffer, and then
  writing a '\0' terminator past the end of the target buffer (in the
  wrong place). It then leaked the buffer.
  
  Switch to a statically sized buffer on the stack and update the source
  pointer and length before use so the correct things are copied.
  
  Fix a logic error in the checks that the format of the line is as
  expected and move on out of an assert.
  
  Remove an unneeded close(). fclose() closes the descriptor.
  
  Found with:	CheriABI
  Obtained from:	CheriBSD
  Reviewed by:	kib, jhb, markj
  Sponsored by:	DARPA, AFRL
  Differential Revision:	https://reviews.freebsd.org/D19122

Modified:
  stable/11/sbin/mdmfs/mdmfs.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sbin/mdmfs/mdmfs.c
==============================================================================
--- stable/11/sbin/mdmfs/mdmfs.c	Mon Feb 18 18:44:20 2019	(r344262)
+++ stable/11/sbin/mdmfs/mdmfs.c	Mon Feb 18 18:57:52 2019	(r344263)
@@ -441,7 +441,8 @@ static void
 do_mdconfig_attach_au(const char *args, const enum md_types mdtype)
 {
 	const char *ta;		/* Type arg. */
-	char *linep, *linebuf; 	/* Line pointer, line buffer. */
+	char *linep;
+	char linebuf[12];	/* 32-bit unit (10) + '\n' (1) + '\0' (1) */
 	int fd;			/* Standard output of mdconfig invocation. */
 	FILE *sfd;
 	int rv;
@@ -475,14 +476,15 @@ do_mdconfig_attach_au(const char *args, const enum md_
 	if (sfd == NULL)
 		err(1, "fdopen");
 	linep = fgetln(sfd, &linelen);
-	if (linep == NULL && linelen < mdnamelen + 1)
-		errx(1, "unexpected output from mdconfig (attach)");
 	/* If the output format changes, we want to know about it. */
-	assert(strncmp(linep, mdname, mdnamelen) == 0);
-	linebuf = malloc(linelen - mdnamelen + 1);
-	assert(linebuf != NULL);
+	if (linep == NULL || linelen <= mdnamelen + 1 ||
+	    linelen - mdnamelen >= sizeof(linebuf) ||
+	    strncmp(linep, mdname, mdnamelen) != 0)
+		errx(1, "unexpected output from mdconfig (attach)");
+	linep += mdnamelen;
+	linelen -= mdnamelen;
 	/* Can't use strlcpy because linep is not NULL-terminated. */
-	strncpy(linebuf, linep + mdnamelen, linelen);
+	strncpy(linebuf, linep, linelen);
 	linebuf[linelen] = '\0';
 	ul = strtoul(linebuf, &p, 10);
 	if (ul == ULONG_MAX || *p != '\n')
@@ -490,7 +492,6 @@ do_mdconfig_attach_au(const char *args, const enum md_
 	unit = ul;
 
 	fclose(sfd);
-	close(fd);
 }
 
 /*



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201902181857.x1IIvqC1075212>