From owner-svn-src-head@FreeBSD.ORG  Wed Feb 25 04:30:25 2015
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id DF041C99;
 Wed, 25 Feb 2015 04:30:24 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id C08C6F4D;
 Wed, 25 Feb 2015 04:30:24 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t1P4UOqh048733;
 Wed, 25 Feb 2015 04:30:24 GMT (envelope-from ken@FreeBSD.org)
Received: (from ken@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id t1P4UO8X048731;
 Wed, 25 Feb 2015 04:30:24 GMT (envelope-from ken@FreeBSD.org)
Message-Id: <201502250430.t1P4UO8X048731@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: ken set sender to ken@FreeBSD.org
 using -f
From: "Kenneth D. Merry" <ken@FreeBSD.org>
Date: Wed, 25 Feb 2015 04:30:24 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r279261 - in head: lib/libmt usr.bin/mt
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Feb 2015 04:30:25 -0000

Author: ken
Date: Wed Feb 25 04:30:23 2015
New Revision: 279261
URL: https://svnweb.freebsd.org/changeset/base/279261

Log:
  Fix several problems found by Coverity.
  
  lib/libmt/mtlib.c:
  	In mt_start_element(), make sure we don't overflow the
  	cur_sb array.  CID 1271325
  
  usr.bin/mt/mt.c:
  	In main(), bzero the mt_com structure so that we aren't
  	using any uninitialized stack variables.  CID 1271319
  
  	In mt_param(), only allow one -s and one -p argument.  This
  	will prevent a memory leak caused by overwriting the
  	param_name and/or param_value variables.  CID 1271320 and
  	CID 1271322
  
  	To make things simpler in mt_param(), make sure there
  	there is only one exit path for the function.  Make sure
  	the arguments are explicitly freed.
  
  Sponsored by:	Spectra Logic
  Pointed out by:	emaste
  MFC after:	1 month

Modified:
  head/lib/libmt/mtlib.c
  head/usr.bin/mt/mt.c

Modified: head/lib/libmt/mtlib.c
==============================================================================
--- head/lib/libmt/mtlib.c	Wed Feb 25 00:06:25 2015	(r279260)
+++ head/lib/libmt/mtlib.c	Wed Feb 25 04:30:23 2015	(r279261)
@@ -68,7 +68,7 @@ mt_start_element(void *user_data, const 
 		return;
 
 	mtinfo->level++;
-	if ((u_int)mtinfo->level > (sizeof(mtinfo->cur_sb) /
+	if ((u_int)mtinfo->level >= (sizeof(mtinfo->cur_sb) /
             sizeof(mtinfo->cur_sb[0]))) {
 		mtinfo->error = 1;
                 snprintf(mtinfo->error_str, sizeof(mtinfo->error_str), 

Modified: head/usr.bin/mt/mt.c
==============================================================================
--- head/usr.bin/mt/mt.c	Wed Feb 25 00:06:25 2015	(r279260)
+++ head/usr.bin/mt/mt.c	Wed Feb 25 04:30:23 2015	(r279261)
@@ -212,6 +212,8 @@ main(int argc, char *argv[])
 	int ch, len, mtfd;
 	const char *p, *tape;
 
+	bzero(&mt_com, sizeof(mt_com));
+	
 	if ((tape = getenv("TAPE")) == NULL)
 		tape = DEFTAPE;
 
@@ -1333,12 +1335,24 @@ mt_param(int argc, char **argv, int mtfd
 			list = 1;
 			break;
 		case 'p':
+			if (param_name != NULL) {
+				warnx("Only one paramter name may be "
+				    "specified");
+				retval = 1;
+				goto bailout;
+			}
 			param_name = strdup(optarg);
 			break;
 		case 'q':
 			quiet = 1;
 			break;
 		case 's':
+			if (param_value != NULL) {
+				warnx("Only one paramter value may be "
+				    "specified");
+				retval = 1;
+				goto bailout;
+			}
 			param_value = strdup(optarg);
 			do_set = 1;
 			break;
@@ -1350,12 +1364,16 @@ mt_param(int argc, char **argv, int mtfd
 		}
 	}
 
-	if ((list + do_set + xml_dump) != 1)
-		errx(1, "You must specify only one of -s, -l or -x");
+	if ((list + do_set + xml_dump) != 1) {
+		warnx("You must specify only one of -s, -l or -x");
+		retval = 1;
+		goto bailout;
+	}
 
 	if (xml_dump != 0) {
 		printf("%s", xml_str);
-		return (0);
+		retval = 0;
+		goto bailout;
 	}
 
 	if (do_set != 0) {
@@ -1367,6 +1385,9 @@ mt_param(int argc, char **argv, int mtfd
 	} else if (list != 0)
 		retval = mt_param_list(status_data, param_name, quiet);
 
+bailout:
+	free(param_name);
+	free(param_value);
 	return (retval);
 }