From owner-svn-src-all@freebsd.org Mon May 16 23:00:49 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E922AB3DEE6; Mon, 16 May 2016 23:00:49 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AF73A1B45; Mon, 16 May 2016 23:00:49 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u4GN0mj4075953; Mon, 16 May 2016 23:00:48 GMT (envelope-from truckman@FreeBSD.org) Received: (from truckman@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u4GN0mAh075952; Mon, 16 May 2016 23:00:48 GMT (envelope-from truckman@FreeBSD.org) Message-Id: <201605162300.u4GN0mAh075952@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: truckman set sender to truckman@FreeBSD.org using -f From: Don Lewis Date: Mon, 16 May 2016 23:00:48 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r299986 - head/usr.sbin/rpc.lockd X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 May 2016 23:00:50 -0000 Author: truckman Date: Mon May 16 23:00:48 2016 New Revision: 299986 URL: https://svnweb.freebsd.org/changeset/base/299986 Log: Actually use the loop interation limit so carefully computed on the previous line to prevent buffer overflow. This turns out to not be important because the upstream xdr code already capped the object size at the proper value. Using the correct limit here looks a lot less scary and should please Coverity. Reported by: Coverity CID: 1199309, 1199310 MFC after: 1 week Modified: head/usr.sbin/rpc.lockd/lock_proc.c Modified: head/usr.sbin/rpc.lockd/lock_proc.c ============================================================================== --- head/usr.sbin/rpc.lockd/lock_proc.c Mon May 16 22:57:36 2016 (r299985) +++ head/usr.sbin/rpc.lockd/lock_proc.c Mon May 16 23:00:48 2016 (r299986) @@ -112,7 +112,7 @@ log_netobj(netobj *obj) } /* Prevent the security hazard from the buffer overflow */ maxlen = (obj->n_len < MAX_NETOBJ_SZ ? obj->n_len : MAX_NETOBJ_SZ); - for (i=0, tmp1 = objvalbuffer, tmp2 = objascbuffer; i < obj->n_len; + for (i=0, tmp1 = objvalbuffer, tmp2 = objascbuffer; i < maxlen; i++, tmp1 +=2, tmp2 +=1) { sprintf(tmp1,"%02X",*(obj->n_bytes+i)); sprintf(tmp2,"%c",*(obj->n_bytes+i));