From owner-svn-src-stable@freebsd.org  Wed Mar 22 18:28:10 2017
Return-Path: <owner-svn-src-stable@freebsd.org>
Delivered-To: svn-src-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 083C9D181EE
 for <svn-src-stable@mailman.ysv.freebsd.org>;
 Wed, 22 Mar 2017 18:28:10 +0000 (UTC) (envelope-from pfg@FreeBSD.org)
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
 by mx1.freebsd.org (Postfix) with SMTP id C3B6B1E5D
 for <svn-src-stable@freebsd.org>; Wed, 22 Mar 2017 18:28:09 +0000 (UTC)
 (envelope-from pfg@FreeBSD.org)
Received: (qmail 91025 invoked by uid 99); 22 Mar 2017 18:28:08 -0000
Received: from mail-relay.apache.org (HELO mail-relay.apache.org)
 (140.211.11.15)
 by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Mar 2017 18:28:08 +0000
Received: from [192.168.0.104] (unknown [190.157.139.67])
 by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with
 ESMTPSA id DA77C1A0193; Wed, 22 Mar 2017 18:28:07 +0000 (UTC)
From: Pedro Giffuni <pfg@FreeBSD.org>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Subject: Re: svn commit: r315725 - stable/11/lib/libc/gen
Date: Wed, 22 Mar 2017 13:28:24 -0500
References: <201703221812.v2MICncq040713@repo.freebsd.org>
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
In-Reply-To: <201703221812.v2MICncq040713@repo.freebsd.org>
Message-Id: <826A8703-3697-4DB6-9651-32A96A36AD9E@FreeBSD.org>
X-Mailer: Apple Mail (2.3259)
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
 <svn-src-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable>, 
 <mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable/>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
 <mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2017 18:28:10 -0000


> Il giorno 22 mar 2017, alle ore 13:12, Pedro F. Giffuni =
<pfg@FreeBSD.org> ha scritto:
>=20
> Author: pfg
> Date: Wed Mar 22 18:12:48 2017
> New Revision: 315725
> URL: https://svnweb.freebsd.org/changeset/base/315725
>=20
> Log:
>  MFC r315720 (from cem@)
>  scandir: Fix NULL dereference, uninitialized value use in error case
>=20
>  This bug was introduced in r315095. Given that it obviously is a bug =
and
>  we can't afford to have such creatures in libc, do an early merge,
>=20

This deserves further explanation: it was done now, before the regular 3 =
days before MFC
because I will be doing a highly risky operation in my HD (MBR=E2=80=94> =
GPT) and may not be
able to respond in a while.

It is well know cem@ doesn=E2=80=99t do MFCs and the bug was obvious =
enough that we wanted it
so now was better than in an undetermined future.

Pedro.

>  Reported by:	Coverity
>  CIDs:		1329566, 1372625
>  Sponsored by:	Dell EMC Isilon
>=20
> Modified:
>  stable/11/lib/libc/gen/scandir.c
> Directory Properties:
>  stable/11/   (props changed)
>=20
> Modified: stable/11/lib/libc/gen/scandir.c
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
> --- stable/11/lib/libc/gen/scandir.c	Wed Mar 22 17:56:46 2017	=
(r315724)
> +++ stable/11/lib/libc/gen/scandir.c	Wed Mar 22 18:12:48 2017	=
(r315725)
> @@ -89,12 +89,12 @@ scandir(const char *dirname, struct dire
> 	if ((dirp =3D opendir(dirname)) =3D=3D NULL)
> 		return(-1);
>=20
> +	numitems =3D 0;
> 	arraysz =3D 32;	/* initial estimate of the array size */
> 	names =3D (struct dirent **)malloc(arraysz * sizeof(struct =
dirent *));
> 	if (names =3D=3D NULL)
> 		goto fail;
>=20
> -	numitems =3D 0;
> 	while ((d =3D readdir(dirp)) !=3D NULL) {
> 		if (select !=3D NULL && !SELECT(d))
> 			continue;	/* just selected names */
>=20