Date: Wed, 25 Feb 2015 04:30:24 +0000 (UTC) From: "Kenneth D. Merry" <ken@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r279261 - in head: lib/libmt usr.bin/mt Message-ID: <201502250430.t1P4UO8X048731@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ken Date: Wed Feb 25 04:30:23 2015 New Revision: 279261 URL: https://svnweb.freebsd.org/changeset/base/279261 Log: Fix several problems found by Coverity. lib/libmt/mtlib.c: In mt_start_element(), make sure we don't overflow the cur_sb array. CID 1271325 usr.bin/mt/mt.c: In main(), bzero the mt_com structure so that we aren't using any uninitialized stack variables. CID 1271319 In mt_param(), only allow one -s and one -p argument. This will prevent a memory leak caused by overwriting the param_name and/or param_value variables. CID 1271320 and CID 1271322 To make things simpler in mt_param(), make sure there there is only one exit path for the function. Make sure the arguments are explicitly freed. Sponsored by: Spectra Logic Pointed out by: emaste MFC after: 1 month Modified: head/lib/libmt/mtlib.c head/usr.bin/mt/mt.c Modified: head/lib/libmt/mtlib.c ============================================================================== --- head/lib/libmt/mtlib.c Wed Feb 25 00:06:25 2015 (r279260) +++ head/lib/libmt/mtlib.c Wed Feb 25 04:30:23 2015 (r279261) @@ -68,7 +68,7 @@ mt_start_element(void *user_data, const return; mtinfo->level++; - if ((u_int)mtinfo->level > (sizeof(mtinfo->cur_sb) / + if ((u_int)mtinfo->level >= (sizeof(mtinfo->cur_sb) / sizeof(mtinfo->cur_sb[0]))) { mtinfo->error = 1; snprintf(mtinfo->error_str, sizeof(mtinfo->error_str), Modified: head/usr.bin/mt/mt.c ============================================================================== --- head/usr.bin/mt/mt.c Wed Feb 25 00:06:25 2015 (r279260) +++ head/usr.bin/mt/mt.c Wed Feb 25 04:30:23 2015 (r279261) @@ -212,6 +212,8 @@ main(int argc, char *argv[]) int ch, len, mtfd; const char *p, *tape; + bzero(&mt_com, sizeof(mt_com)); + if ((tape = getenv("TAPE")) == NULL) tape = DEFTAPE; @@ -1333,12 +1335,24 @@ mt_param(int argc, char **argv, int mtfd list = 1; break; case 'p': + if (param_name != NULL) { + warnx("Only one paramter name may be " + "specified"); + retval = 1; + goto bailout; + } param_name = strdup(optarg); break; case 'q': quiet = 1; break; case 's': + if (param_value != NULL) { + warnx("Only one paramter value may be " + "specified"); + retval = 1; + goto bailout; + } param_value = strdup(optarg); do_set = 1; break; @@ -1350,12 +1364,16 @@ mt_param(int argc, char **argv, int mtfd } } - if ((list + do_set + xml_dump) != 1) - errx(1, "You must specify only one of -s, -l or -x"); + if ((list + do_set + xml_dump) != 1) { + warnx("You must specify only one of -s, -l or -x"); + retval = 1; + goto bailout; + } if (xml_dump != 0) { printf("%s", xml_str); - return (0); + retval = 0; + goto bailout; } if (do_set != 0) { @@ -1367,6 +1385,9 @@ mt_param(int argc, char **argv, int mtfd } else if (list != 0) retval = mt_param_list(status_data, param_name, quiet); +bailout: + free(param_name); + free(param_value); return (retval); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201502250430.t1P4UO8X048731>