Date: Sat, 31 Aug 2024 10:54:04 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 281159] [PATCH] mfiutil: Fix potential buffer overflow and truncation issues Message-ID: <bug-281159-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D281159 Bug ID: 281159 Summary: [PATCH] mfiutil: Fix potential buffer overflow and truncation issues Product: Base System Version: 15.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: msl0000023508@gmail.com Created attachment 253206 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D253206&action= =3Dedit proposed fix The fix in mfi_volume.c is particularly important; since it uses sprintf(3)= , if 'state' is too big, an overflow instead of string truncation, will occur. This change fixes the following warnings emitted by gcc(1): mfi_drive.c: In function 'mfi_pdstate': mfi_drive.c:155:40: warning: '%04x' directive writing between 4 and 8 bytes into a region of size 7 [-Wformat-overflow=3D] In function 'mfi_pdstate', inlined from 'mfi_pdstate' at /usr/src/usr.sbin/mfiutil/mfi_drive.c:131= :1: /usr/src/usr.sbin/mfiutil/mfi_drive.c:155:30: note: directive argument in t= he range [3, 4294967295] mfi_drive.c:155:17: note: 'sprintf' output between 14 and 18 bytes into a destination of size 16 mfi_drive.c: In function 'mfi_pd_inq_string': mfi_drive.c:375:57: warning: ' ' directive output may be truncated writing 1 byte into a region of size between 0 and 62 [-Wformat-truncation=3D] mfi_drive.c:375:9: note: 'snprintf' output 14 or more bytes (assuming 110) = into a destination of size 64 mfi_drive.c:358:65: warning: ' serial=3D' directive output may be truncated writing 8 bytes into a region of size between 0 and 62 [-Wformat-truncation= =3D] mfi_drive.c:358:17: note: 'snprintf' output between 17 and 98 bytes into a destination of size 64 mfi_evt.c: In function 'pdrive_location': mfi_evt.c:350:64: warning: 'snprintf' output may be truncated before the la= st format character [-Wformat-truncation=3D] mfi_evt.c:350:17: note: 'snprintf' output between 10 and 17 bytes into a destination of size 16 mfi_volume.c: In function 'mfi_ldstate': mfi_volume.c:60:40: warning: '%02x' directive writing between 2 and 8 bytes into a region of size 7 [-Wformat-overflow=3D] mfi_volume.c:60:30: note: directive argument in the range [4, 4294967295] mfi_volume.c:60:17: note: 'sprintf' output between 12 and 18 bytes into a destination of size 16 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-281159-227>