From owner-svn-src-head@freebsd.org Wed May 25 15:43:02 2016 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 80A73B4AECA; Wed, 25 May 2016 15:43:02 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 34DB81D68; Wed, 25 May 2016 15:43:02 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u4PFh1q3077087; Wed, 25 May 2016 15:43:01 GMT (envelope-from truckman@FreeBSD.org) Received: (from truckman@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u4PFh146077085; Wed, 25 May 2016 15:43:01 GMT (envelope-from truckman@FreeBSD.org) Message-Id: <201605251543.u4PFh146077085@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: truckman set sender to truckman@FreeBSD.org using -f From: Don Lewis Date: Wed, 25 May 2016 15:43:01 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r300685 - head/sbin/camcontrol X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 May 2016 15:43:02 -0000 Author: truckman Date: Wed May 25 15:43:01 2016 New Revision: 300685 URL: https://svnweb.freebsd.org/changeset/base/300685 Log: Fix a couple of new instances of a false positive Coverity buffer overflow defect. Use the new CCB_CLEAR_ALL_EXCEPT_HDR() macro instead of the calling bzero() on the pointer to the header used as an array and indexed by 1. Don't leak a buffer after executing "goto restart_report" by overwriting its pointer with the results of another calloc(). Be sure to clear the buffer before reusing it. (CID 1356042) Reported by: Coverity CID: 1356022, 1356034, 1356023, 1356035, 1356042 Reviewed by: ken Modified: head/sbin/camcontrol/epc.c head/sbin/camcontrol/zone.c Modified: head/sbin/camcontrol/epc.c ============================================================================== --- head/sbin/camcontrol/epc.c Wed May 25 15:42:39 2016 (r300684) +++ head/sbin/camcontrol/epc.c Wed May 25 15:43:01 2016 (r300685) @@ -633,8 +633,7 @@ epc(struct cam_device *device, int argc, goto bailout; } - bzero(&(&ccb->ccb_h)[1], - sizeof(union ccb) - sizeof(struct ccb_hdr)); + CCB_CLEAR_ALL_EXCEPT_HDR(ccb); while ((c = getopt(argc, argv, combinedopt)) != -1) { switch (c) { Modified: head/sbin/camcontrol/zone.c ============================================================================== --- head/sbin/camcontrol/zone.c Wed May 25 15:42:39 2016 (r300684) +++ head/sbin/camcontrol/zone.c Wed May 25 15:43:01 2016 (r300685) @@ -347,8 +347,7 @@ zone(struct cam_device *device, int argc goto bailout; } - bzero(&(&ccb->ccb_h)[1], - sizeof(union ccb) - sizeof(struct ccb_hdr)); + CCB_CLEAR_ALL_EXCEPT_HDR(ccb); while ((c = getopt(argc, argv, combinedopt)) != -1) { switch (c) { @@ -484,7 +483,8 @@ restart_report: sector_count = ZAC_ATA_SECTOR_COUNT(alloc_len); protocol = AP_PROTO_DMA; } else { - cdb_storage = calloc(cdb_storage_len, 1); + if (cdb_storage == NULL) + cdb_storage = calloc(cdb_storage_len, 1); if (cdb_storage == NULL) err(1, "couldn't allocate memory"); @@ -662,6 +662,8 @@ restart_report: if (zp_status == ZONE_PRINT_MORE_DATA) { bzero(ccb, sizeof(*ccb)); first_pass = 0; + if (cdb_storage != NULL) + bzero(cdb_storage, cdb_storage_len); goto restart_report; } else if (zp_status == ZONE_PRINT_ERROR) error = 1;