Date: Mon, 23 May 2016 05:27:31 +0000 (UTC) From: Don Lewis <truckman@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r300463 - stable/10/usr.sbin/rpc.lockd Message-ID: <201605230527.u4N5RVGU088038@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: truckman Date: Mon May 23 05:27:31 2016 New Revision: 300463 URL: https://svnweb.freebsd.org/changeset/base/300463 Log: MFC r299986 Actually use the loop interation limit so carefully computed on the previous line to prevent buffer overflow. This turns out to not be important because the upstream xdr code already capped the object size at the proper value. Using the correct limit here looks a lot less scary and should please Coverity. Reported by: Coverity CID: 1199309, 1199310 Modified: stable/10/usr.sbin/rpc.lockd/lock_proc.c Directory Properties: stable/10/ (props changed) Modified: stable/10/usr.sbin/rpc.lockd/lock_proc.c ============================================================================== --- stable/10/usr.sbin/rpc.lockd/lock_proc.c Mon May 23 05:25:34 2016 (r300462) +++ stable/10/usr.sbin/rpc.lockd/lock_proc.c Mon May 23 05:27:31 2016 (r300463) @@ -115,7 +115,7 @@ log_netobj(obj) } /* Prevent the security hazard from the buffer overflow */ maxlen = (obj->n_len < MAX_NETOBJ_SZ ? obj->n_len : MAX_NETOBJ_SZ); - for (i=0, tmp1 = objvalbuffer, tmp2 = objascbuffer; i < obj->n_len; + for (i=0, tmp1 = objvalbuffer, tmp2 = objascbuffer; i < maxlen; i++, tmp1 +=2, tmp2 +=1) { sprintf(tmp1,"%02X",*(obj->n_bytes+i)); sprintf(tmp2,"%c",*(obj->n_bytes+i));
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201605230527.u4N5RVGU088038>