From owner-svn-src-all@freebsd.org Fri Feb 19 14:01:37 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 71C6DAAE39B; Fri, 19 Feb 2016 14:01:37 +0000 (UTC) (envelope-from se@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 28B811C02; Fri, 19 Feb 2016 14:01:37 +0000 (UTC) (envelope-from se@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u1JE1aj0007221; Fri, 19 Feb 2016 14:01:36 GMT (envelope-from se@FreeBSD.org) Received: (from se@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u1JE1acp007220; Fri, 19 Feb 2016 14:01:36 GMT (envelope-from se@FreeBSD.org) Message-Id: <201602191401.u1JE1acp007220@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: se set sender to se@FreeBSD.org using -f From: Stefan Esser Date: Fri, 19 Feb 2016 14:01:36 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r295806 - head/usr.sbin/pciconf X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Feb 2016 14:01:37 -0000 Author: se Date: Fri Feb 19 14:01:35 2016 New Revision: 295806 URL: https://svnweb.freebsd.org/changeset/base/295806 Log: Fix possible out-of-bounds access detected by Ulrich Spörleins "scan-build". Some invalid PCI device selectors could cause read access to an initialized variable next to the array (local loop index variable). While here, the parser has been made more strict with regard to the syntax of PCI device selectors as documented in the man-page. E.g. "pci:" used to be interpreted as "pci0:0". MFC after: 3 days Modified: head/usr.sbin/pciconf/pciconf.c Modified: head/usr.sbin/pciconf/pciconf.c ============================================================================== --- head/usr.sbin/pciconf/pciconf.c Fri Feb 19 11:25:18 2016 (r295805) +++ head/usr.sbin/pciconf/pciconf.c Fri Feb 19 14:01:35 2016 (r295806) @@ -897,7 +897,6 @@ static struct pcisel parsesel(const char *str) { const char *ep; - const char *epbase; char *eppos; struct pcisel sel; unsigned long selarr[4]; @@ -909,30 +908,27 @@ parsesel(const char *str) else ep = str; - epbase = ep; - if (strncmp(ep, "pci", 3) == 0) { ep += 3; i = 0; - do { + while (isdigit(*ep) && i < 4) { selarr[i++] = strtoul(ep, &eppos, 10); ep = eppos; - } while ((*ep == ':' || *ep == '.') && *++ep != '\0' && i < 4); - - if (i > 2) - sel.pc_func = selarr[--i]; - else - sel.pc_func = 0; - sel.pc_dev = selarr[--i]; - sel.pc_bus = selarr[--i]; - if (i > 0) - sel.pc_domain = selarr[--i]; - else - sel.pc_domain = 0; + if (*ep == ':') { + ep++; + if (*ep == '\0') + i = 0; + } + } + if (i > 0 && *ep == '\0') { + sel.pc_func = (i > 2) ? selarr[--i] : 0; + sel.pc_dev = (i > 0) ? selarr[--i] : 0; + sel.pc_bus = (i > 0) ? selarr[--i] : 0; + sel.pc_domain = (i > 0) ? selarr[--i] : 0; + return (sel); + } } - if (*ep != '\x0' || ep == epbase) - errx(1, "cannot parse selector %s", str); - return sel; + errx(1, "cannot parse selector %s", str); } static struct pcisel