From owner-freebsd-bugs Thu Nov 9 14:10: 8 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 6036037B4D7 for ; Thu, 9 Nov 2000 14:10:01 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id OAA06479; Thu, 9 Nov 2000 14:10:01 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from hand.dotat.at (sfo-gw.covalent.net [207.44.198.62]) by hub.freebsd.org (Postfix) with ESMTP id 0D47737B4C5 for ; Thu, 9 Nov 2000 14:09:37 -0800 (PST) Received: from fanf by hand.dotat.at with local (Exim 3.15 #3) id 13tzsy-0002L8-00 for FreeBSD-gnats-submit@freebsd.org; Thu, 09 Nov 2000 22:09:32 +0000 Message-Id: Date: Thu, 09 Nov 2000 22:09:32 +0000 From: Tony Finch Reply-To: Tony Finch To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/22727: disklabel crashes if the number of partitions equals MAXPARTITIONS Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 22727 >Category: bin >Synopsis: disklabel crashes if the number of partitions equals MAXPARTITIONS >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Nov 09 14:10:01 PST 2000 >Closed-Date: >Last-Modified: >Originator: Tony Finch >Release: FreeBSD 4.2-BETA-20001104 i386 >Organization: dotat >Environment: FreeBSD hand.dotat.at 4.2-BETA-20001104 FreeBSD 4.2-BETA-20001104 #0: Sat Nov 4 22:44:50 UTC 2000 fanf@hand.dotat.at:/FreeBSD/obj/FreeBSD/releng4/sys/DELL-Latitude-CPx i386 8 partitions: # size offset fstype [fsize bsize bps/cpg] a: 1606500 0 4.2BSD 1024 8192 16 # (Cyl. 0 - 99) b: 1606500 1606500 swap # (Cyl. 100 - 199) c: 23567292 0 unused 0 0 # (Cyl. 0 - 1466*) e: 1606500 3213000 4.2BSD 1024 8192 16 # (Cyl. 200 - 299) f: 8032500 4819500 4.2BSD 1024 8192 16 # (Cyl. 300 - 799) g: 1606500 12852000 ISO9660 # (Cyl. 800 - 899) h: 1606500 14458500 4.2BSD 1024 8192 16 # (Cyl. 900 - 999) >Description: I tried to add another partition to the above configuration and I gave it the letter 'i'. When I quit the editor, disklabel died from a segmentation fault on line 841 of disklabel.c because the variable lp had been corrupted. I worked out that this occurred in getasciilabel() because of an off-by-one error. While I am here I note that disklabel handles editing the file in a way similar to the way that crontab used to, until a vulnerability was found recently. I don't know if it could cause problems, though. >How-To-Repeat: >Fix: Index: disklabel.c =================================================================== RCS file: /home/ncvs/src/sbin/disklabel/disklabel.c,v retrieving revision 1.28.2.5 diff -u -r1.28.2.5 disklabel.c --- disklabel.c 2000/10/31 01:32:23 1.28.2.5 +++ disklabel.c 2000/11/09 22:00:23 @@ -1141,7 +1141,7 @@ if ('a' <= *cp && *cp <= 'z' && cp[1] == '\0') { unsigned part = *cp - 'a'; - if (part > lp->d_npartitions) { + if (part >= lp->d_npartitions) { fprintf(stderr, "line %d: bad partition name\n", lineno); errors++; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message