From owner-svn-src-stable@freebsd.org Mon May 23 05:27:32 2016 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 593EDB46018; Mon, 23 May 2016 05:27:32 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2AE7D1839; Mon, 23 May 2016 05:27:32 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u4N5RVOF088039; Mon, 23 May 2016 05:27:31 GMT (envelope-from truckman@FreeBSD.org) Received: (from truckman@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u4N5RVGU088038; Mon, 23 May 2016 05:27:31 GMT (envelope-from truckman@FreeBSD.org) Message-Id: <201605230527.u4N5RVGU088038@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: truckman set sender to truckman@FreeBSD.org using -f From: Don Lewis Date: Mon, 23 May 2016 05:27:31 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r300463 - stable/10/usr.sbin/rpc.lockd X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2016 05:27:32 -0000 Author: truckman Date: Mon May 23 05:27:31 2016 New Revision: 300463 URL: https://svnweb.freebsd.org/changeset/base/300463 Log: MFC r299986 Actually use the loop interation limit so carefully computed on the previous line to prevent buffer overflow. This turns out to not be important because the upstream xdr code already capped the object size at the proper value. Using the correct limit here looks a lot less scary and should please Coverity. Reported by: Coverity CID: 1199309, 1199310 Modified: stable/10/usr.sbin/rpc.lockd/lock_proc.c Directory Properties: stable/10/ (props changed) Modified: stable/10/usr.sbin/rpc.lockd/lock_proc.c ============================================================================== --- stable/10/usr.sbin/rpc.lockd/lock_proc.c Mon May 23 05:25:34 2016 (r300462) +++ stable/10/usr.sbin/rpc.lockd/lock_proc.c Mon May 23 05:27:31 2016 (r300463) @@ -115,7 +115,7 @@ log_netobj(obj) } /* Prevent the security hazard from the buffer overflow */ maxlen = (obj->n_len < MAX_NETOBJ_SZ ? obj->n_len : MAX_NETOBJ_SZ); - for (i=0, tmp1 = objvalbuffer, tmp2 = objascbuffer; i < obj->n_len; + for (i=0, tmp1 = objvalbuffer, tmp2 = objascbuffer; i < maxlen; i++, tmp1 +=2, tmp2 +=1) { sprintf(tmp1,"%02X",*(obj->n_bytes+i)); sprintf(tmp2,"%c",*(obj->n_bytes+i));