From owner-svn-src-head@FreeBSD.ORG Wed Jul 24 13:00:49 2013 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id B062ACE3; Wed, 24 Jul 2013 13:00:49 +0000 (UTC) (envelope-from uqs@FreeBSD.org) Received: from acme.spoerlein.net (acme.spoerlein.net [IPv6:2a01:4f8:131:23c2::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 33AB92E77; Wed, 24 Jul 2013 13:00:49 +0000 (UTC) Received: from localhost (acme.spoerlein.net [IPv6:2a01:4f8:131:23c2::1]) by acme.spoerlein.net (8.14.7/8.14.7) with ESMTP id r6OD0lYZ002878 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 24 Jul 2013 15:00:47 +0200 (CEST) (envelope-from uqs@FreeBSD.org) Date: Wed, 24 Jul 2013 15:00:47 +0200 From: Ulrich =?utf-8?B?U3DDtnJsZWlu?= To: Hiroki Sato Subject: Re: svn commit: r253504 - head/sbin/route Message-ID: <20130724130046.GD9092@acme.spoerlein.net> Mail-Followup-To: Ulrich =?utf-8?B?U3DDtnJsZWlu?= , Hiroki Sato , src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org References: <201307201646.r6KGkpM6054344@svn.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201307201646.r6KGkpM6054344@svn.freebsd.org> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jul 2013 13:00:49 -0000 On Sat, 2013-07-20 at 16:46:51 +0000, Hiroki Sato wrote: > Author: hrs > Date: Sat Jul 20 16:46:51 2013 > New Revision: 253504 > URL: http://svnweb.freebsd.org/changeset/base/253504 > > Log: > - Simplify getaddr() and print_getmsg() by using RTAX_* instead of RTA_* > as the argument. > - Reduce unnecessary loop in print_getmsg(). > > Modified: > head/sbin/route/route.c > > Modified: head/sbin/route/route.c > ============================================================================== > --- head/sbin/route/route.c Sat Jul 20 15:58:43 2013 (r253503) > +++ head/sbin/route/route.c Sat Jul 20 16:46:51 2013 (r253504) > @@ -1105,7 +1105,7 @@ inet6_makenetandmask(struct sockaddr_in6 > * returning 1 if a host address, 0 if a network address. > */ > static int > -getaddr(int which, char *str, struct hostent **hpp, int nrflags) > +getaddr(int idx, char *str, struct hostent **hpp, int nrflags) > { > struct sockaddr *sa; > #if defined(INET) > @@ -1130,36 +1130,16 @@ getaddr(int which, char *str, struct hos > aflen = sizeof(struct sockaddr_dl); > #endif > } > - rtm_addrs |= which; > + rtm_addrs |= (1 << idx); > > - switch (which) { > - case RTA_DST: > - sa = (struct sockaddr *)&so[RTAX_DST]; > - break; > - case RTA_GATEWAY: > - sa = (struct sockaddr *)&so[RTAX_GATEWAY]; > - break; > - case RTA_NETMASK: > - sa = (struct sockaddr *)&so[RTAX_NETMASK]; > - break; > - case RTA_GENMASK: > - sa = (struct sockaddr *)&so[RTAX_GENMASK]; > - break; > - case RTA_IFA: > - sa = (struct sockaddr *)&so[RTAX_IFA]; > - break; > - case RTA_IFP: > - sa = (struct sockaddr *)&so[RTAX_IFP]; > - break; > - default: > + if (idx > RTAX_MAX) > usage("internal error"); > - /*NOTREACHED*/ > - } > + sa = (struct sockaddr *)&so[idx]; Coverity Scan flags this as an out-of-bounds write. RTAX_MAX is 8, so idx can be up to 8 (inclusive) in the check above. Do you want to check for idx >= RTAX_MAX maybe? idx is also signed ... Coverity CID is 1054779, btw. Cheers, Uli