Date: Thu, 2 Feb 2017 19:50:29 +0000 (UTC) From: Alan Somers <asomers@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r313103 - in stable/10: sbin/dhclient sys/dev/mpr usr.bin/chat usr.bin/rpcgen usr.bin/tail usr.sbin/diskinfo Message-ID: <201702021950.v12JoT4c053472@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: asomers Date: Thu Feb 2 19:50:28 2017 New Revision: 313103 URL: https://svnweb.freebsd.org/changeset/base/313103 Log: MFC r311160, r311210, r311288, r311292, r311298, r311340 r311160: misc minor fixes in mpr(4) sys/dev/mpr/mpr_sas.c * Fix a potential null pointer dereference (CID 1305731) * Check for overrun of the ccb_scsiio.cdb_io.cdb_bytes buffer (CID 1211934) sys/dev/mpr/mpr_sas_lsi.c * Nullify a dangling pointer in mprsas_get_sata_identify * Fix a memory leak in mprsas_SSU_to_SATA_devices (CID 1211935) Reported by: Coverity (partially) CID: 1305731 1211934 1211935 Reviewed by: slm MFC after: 4 weeks Sponsored by: Spectra Logic Corp Differential Revision: https://reviews.freebsd.org/D8880 r311210: Quell Coverity for diskinfo(8) * CID 1198994: Don't run the speed disk on a disk with no sectors * CID 1011442: Don't call close(2) if open(2) fails * CID 1011161: Use snprintf instead of sprintf * CID 1009825: Check the return value of lseek Reported by: Coverity CID: 1198994 1011442 1011161 1009825 MFC after: 4 weeks Sponsored by: Spectra Logic Corp r311288: Delete dead code in chat(8) It's always been dead, ever since first import in 1994. It's still dead in OpenBSD's version, too. Reported by: Coverity CID: 270586 MFC after: 4 weeks Sponsored by: Spectra Logic Corp r311292: Remove dead code in rpc_parse.c It's been dead ever since it was imported from TI-RPC in 1995. The dead code is still present in Illumos today, but was removed from NetBSD in 2006. Reported by: Coverity CID: 270097 Obtained from: NetBSD MFC after: 4 weeks Sponsored by: Spectra Logic Corp r311298: Remove dead code in dhclient(8) The offending code has been dead ever since the import from OpenBSD in r195805. OpenBSD later deleted that entire function. Reported by: Coverity CID: 500059 MFC after: 4 weeks Sponsored by: Spectra Logic Corp r311340: Misc Coverity fixes for tail(1) CID 1006402: Initialize stack variable CID 271580: Don't leak memory when ENOMEM. Reported by: Coverity CID: 271580 1006402 MFC after: 4 weeks Sponsored by: Spectra Logic Corp Modified: stable/10/sbin/dhclient/dispatch.c stable/10/sys/dev/mpr/mpr_sas.c stable/10/sys/dev/mpr/mpr_sas_lsi.c stable/10/usr.bin/chat/chat.c stable/10/usr.bin/rpcgen/rpc_parse.c stable/10/usr.bin/tail/reverse.c stable/10/usr.sbin/diskinfo/diskinfo.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sbin/dhclient/dispatch.c ============================================================================== --- stable/10/sbin/dhclient/dispatch.c Thu Feb 2 19:23:07 2017 (r313102) +++ stable/10/sbin/dhclient/dispatch.c Thu Feb 2 19:50:28 2017 (r313103) @@ -453,16 +453,12 @@ add_protocol(char *name, int fd, void (* void remove_protocol(struct protocol *proto) { - struct protocol *p, *next, *prev; + struct protocol *p, *next; - prev = NULL; for (p = protocols; p; p = next) { next = p->next; if (p == proto) { - if (prev) - prev->next = p->next; - else - protocols = p->next; + protocols = p->next; free(p); } } Modified: stable/10/sys/dev/mpr/mpr_sas.c ============================================================================== --- stable/10/sys/dev/mpr/mpr_sas.c Thu Feb 2 19:23:07 2017 (r313102) +++ stable/10/sys/dev/mpr/mpr_sas.c Thu Feb 2 19:50:28 2017 (r313103) @@ -1846,8 +1846,12 @@ mprsas_action_scsiio(struct mprsas_softc if (csio->ccb_h.flags & CAM_CDB_POINTER) bcopy(csio->cdb_io.cdb_ptr, &req->CDB.CDB32[0], csio->cdb_len); - else + else { + KASSERT(csio->cdb_len <= IOCDBLEN, + ("cdb_len %d is greater than IOCDBLEN but CAM_CDB_POINTER is not set", + csio->cdb_len)); bcopy(csio->cdb_io.cdb_bytes, &req->CDB.CDB32[0],csio->cdb_len); + } req->IoFlags = htole16(csio->cdb_len); /* @@ -2429,6 +2433,7 @@ mprsas_scsiio_complete(struct mpr_softc * driver is being shutdown. */ if ((csio->cdb_io.cdb_bytes[0] == INQUIRY) && + (csio->data_ptr != NULL) && ((csio->data_ptr[0] & 0x1f) == T_DIRECT) && (sc->mapping_table[target_id].device_info & MPI2_SAS_DEVICE_INFO_SATA_DEVICE) && Modified: stable/10/sys/dev/mpr/mpr_sas_lsi.c ============================================================================== --- stable/10/sys/dev/mpr/mpr_sas_lsi.c Thu Feb 2 19:23:07 2017 (r313102) +++ stable/10/sys/dev/mpr/mpr_sas_lsi.c Thu Feb 2 19:50:28 2017 (r313103) @@ -1056,6 +1056,7 @@ out: mpr_free_command(sc, cm); else if (error == 0) error = EWOULDBLOCK; + cm->cm_data = NULL; free(buffer, M_MPR); return (error); } @@ -1196,18 +1197,18 @@ mprsas_SSU_to_SATA_devices(struct mpr_so continue; } - ccb = xpt_alloc_ccb_nowait(); - if (ccb == NULL) { - mpr_dprint(sc, MPR_FAULT, "Unable to alloc CCB to stop " - "unit.\n"); - return; - } - /* * The stop_at_shutdown flag will be set if this device is * a SATA direct-access end device. */ if (target->stop_at_shutdown) { + ccb = xpt_alloc_ccb_nowait(); + if (ccb == NULL) { + mpr_dprint(sc, MPR_FAULT, "Unable to alloc CCB to stop " + "unit.\n"); + return; + } + if (xpt_create_path(&ccb->ccb_h.path, xpt_periph, pathid, targetid, CAM_LUN_WILDCARD) != CAM_REQ_CMP) { Modified: stable/10/usr.bin/chat/chat.c ============================================================================== --- stable/10/usr.bin/chat/chat.c Thu Feb 2 19:23:07 2017 (r313102) +++ stable/10/usr.bin/chat/chat.c Thu Feb 2 19:50:28 2017 (r313103) @@ -1173,7 +1173,7 @@ int get_string(char *string) { char temp[STR_LEN]; - int c, printed = 0; + int c; size_t len, minlen; char *s = temp, *end = s + STR_LEN; char *logged = temp; @@ -1306,13 +1306,6 @@ get_string(char *string) alarm(0); - if (verbose && printed) { - if (alarmed) - chat_logf(" -- read timed out"); - else - chat_logf(" -- read failed: %m"); - } - exit_code = 3; alarmed = 0; return (0); Modified: stable/10/usr.bin/rpcgen/rpc_parse.c ============================================================================== --- stable/10/usr.bin/rpcgen/rpc_parse.c Thu Feb 2 19:23:07 2017 (r313102) +++ stable/10/usr.bin/rpcgen/rpc_parse.c Thu Feb 2 19:50:28 2017 (r313103) @@ -290,7 +290,6 @@ def_union(definition *defp) declaration dec; case_list *cases; case_list **tailp; - int flag; defp->def_kind = DEF_UNION; scan(TOK_IDENT, &tok); @@ -309,7 +308,6 @@ def_union(definition *defp) cases->case_name = tok.str; scan(TOK_COLON, &tok); /* now peek at next token */ - flag = 0; if (peekscan(TOK_CASE, &tok)){ do { scan2(TOK_IDENT, TOK_CHARCONST, &tok); @@ -322,14 +320,6 @@ def_union(definition *defp) scan(TOK_COLON, &tok); } while (peekscan(TOK_CASE, &tok)); } - else - if (flag) - { - - *tailp = cases; - tailp = &cases->next; - cases = XALLOC(case_list); - }; get_declaration(&dec, DEF_UNION); cases->case_decl = dec; Modified: stable/10/usr.bin/tail/reverse.c ============================================================================== --- stable/10/usr.bin/tail/reverse.c Thu Feb 2 19:23:07 2017 (r313102) +++ stable/10/usr.bin/tail/reverse.c Thu Feb 2 19:50:28 2017 (r313103) @@ -117,6 +117,7 @@ r_reg(FILE *fp, const char *fn, enum STY map.start = NULL; map.mapoff = map.maxoff = size; map.fd = fileno(fp); + map.maplen = 0; /* * Last char is special, ignore whether newline or not. Note that @@ -205,7 +206,13 @@ r_buf(FILE *fp, const char *fn) (tl->l = malloc(BSZ)) == NULL) { if (!mark) err(1, "malloc"); - tl = enomem ? tl->next : mark; + if (enomem) + tl = tl->next; + else { + if (tl) + free(tl); + tl = mark; + } enomem += tl->len; } else if (mark) { tl->next = mark; Modified: stable/10/usr.sbin/diskinfo/diskinfo.c ============================================================================== --- stable/10/usr.sbin/diskinfo/diskinfo.c Thu Feb 2 19:23:07 2017 (r313102) +++ stable/10/usr.sbin/diskinfo/diskinfo.c Thu Feb 2 19:50:28 2017 (r313103) @@ -89,13 +89,12 @@ main(int argc, char **argv) for (i = 0; i < argc; i++) { fd = open(argv[i], O_RDONLY); if (fd < 0 && errno == ENOENT && *argv[i] != '/') { - sprintf(buf, "%s%s", _PATH_DEV, argv[i]); + snprintf(buf, BUFSIZ, "%s%s", _PATH_DEV, argv[i]); fd = open(buf, O_RDONLY); } if (fd < 0) { warn("%s", argv[i]); - exitval = 1; - goto out; + exit(1); } error = ioctl(fd, DIOCGMEDIASIZE, &mediasize); if (error) { @@ -176,7 +175,8 @@ rdsect(int fd, off_t blockno, u_int sect { int error; - lseek(fd, (off_t)blockno * sectorsize, SEEK_SET); + if (lseek(fd, (off_t)blockno * sectorsize, SEEK_SET) == -1) + err(1, "lseek"); error = read(fd, sector, sectorsize); if (error == -1) err(1, "read"); @@ -241,6 +241,9 @@ speeddisk(int fd, off_t mediasize, u_int off_t b0, b1, sectorcount, step; sectorcount = mediasize / sectorsize; + if (sectorcount <= 0) + return; /* Can't test devices with no sectors */ + step = 1ULL << (flsll(sectorcount / (4 * 200)) - 1); if (step > 16384) step = 16384;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201702021950.v12JoT4c053472>