Date: Mon, 16 May 2016 23:00:48 +0000 (UTC) From: Don Lewis <truckman@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r299986 - head/usr.sbin/rpc.lockd Message-ID: <201605162300.u4GN0mAh075952@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: truckman Date: Mon May 16 23:00:48 2016 New Revision: 299986 URL: https://svnweb.freebsd.org/changeset/base/299986 Log: Actually use the loop interation limit so carefully computed on the previous line to prevent buffer overflow. This turns out to not be important because the upstream xdr code already capped the object size at the proper value. Using the correct limit here looks a lot less scary and should please Coverity. Reported by: Coverity CID: 1199309, 1199310 MFC after: 1 week Modified: head/usr.sbin/rpc.lockd/lock_proc.c Modified: head/usr.sbin/rpc.lockd/lock_proc.c ============================================================================== --- head/usr.sbin/rpc.lockd/lock_proc.c Mon May 16 22:57:36 2016 (r299985) +++ head/usr.sbin/rpc.lockd/lock_proc.c Mon May 16 23:00:48 2016 (r299986) @@ -112,7 +112,7 @@ log_netobj(netobj *obj) } /* Prevent the security hazard from the buffer overflow */ maxlen = (obj->n_len < MAX_NETOBJ_SZ ? obj->n_len : MAX_NETOBJ_SZ); - for (i=0, tmp1 = objvalbuffer, tmp2 = objascbuffer; i < obj->n_len; + for (i=0, tmp1 = objvalbuffer, tmp2 = objascbuffer; i < maxlen; i++, tmp1 +=2, tmp2 +=1) { sprintf(tmp1,"%02X",*(obj->n_bytes+i)); sprintf(tmp2,"%c",*(obj->n_bytes+i));
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201605162300.u4GN0mAh075952>