Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 24 Apr 2017 21:41:04 +0000 (UTC)
From:      Brooks Davis <brooks@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject:   svn commit: r317387 - stable/10/lib/libutil
Message-ID:  <201704242141.v3OLf4Uq088609@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: brooks
Date: Mon Apr 24 21:41:04 2017
New Revision: 317387
URL: https://svnweb.freebsd.org/changeset/base/317387

Log:
  MFC r316766:
  
  Correct an out of bounds read with HN_AUTOSCALE and very large numbers.
  
  The maximum scale is 6 (K, M, G, T, P, E) (B is 0).
  
  Overly large explict scales were checked correctly, but for sufficently
  large numbers HN_AUTOSCALE would get to 7 resulting in an out of bounds
  read.
  
  Found with humanize_number_test and CHERI bounds checking.
  
  Reviewed by:	emaste
  Obtained from:	CheriBSD
  Sponsored by:	DARPA, AFRL

Modified:
  stable/10/lib/libutil/humanize_number.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/lib/libutil/humanize_number.c
==============================================================================
--- stable/10/lib/libutil/humanize_number.c	Mon Apr 24 21:35:02 2017	(r317386)
+++ stable/10/lib/libutil/humanize_number.c	Mon Apr 24 21:41:04 2017	(r317387)
@@ -43,7 +43,7 @@ __FBSDID("$FreeBSD$");
 #include <locale.h>
 #include <libutil.h>
 
-static const int maxscale = 7;
+static const int maxscale = 6;
 
 int
 humanize_number(char *buf, size_t len, int64_t quotient,
@@ -64,7 +64,7 @@ humanize_number(char *buf, size_t len, i
 		return (-1);
 	if (scale < 0)
 		return (-1);
-	else if (scale >= maxscale &&
+	else if (scale > maxscale &&
 	    ((scale & ~(HN_AUTOSCALE|HN_GETSCALE)) != 0))
 		return (-1);
 	if ((flags & HN_DIVISOR_1000) && (flags & HN_IEC_PREFIXES))



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201704242141.v3OLf4Uq088609>