From owner-freebsd-bugs@FreeBSD.ORG  Sat Sep 11 17:10:18 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2262416A4CF
	for <freebsd-bugs@hub.freebsd.org>;
	Sat, 11 Sep 2004 17:10:18 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 015CB43D4C
	for <freebsd-bugs@hub.freebsd.org>;
	Sat, 11 Sep 2004 17:10:18 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i8BHAHjp016004
	for <freebsd-bugs@freefall.freebsd.org>; Sat, 11 Sep 2004 17:10:17 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i8BHAHSg016003;
	Sat, 11 Sep 2004 17:10:17 GMT
	(envelope-from gnats)
Resent-Date: Sat, 11 Sep 2004 17:10:17 GMT
Resent-Message-Id: <200409111710.i8BHAHSg016003@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Dan Lukes <dan@obluda.cz>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5B7E316A4CE
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat, 11 Sep 2004 17:03:29 +0000 (GMT)
Received: from kulesh.obluda.cz (kulesh.obluda.cz [193.179.22.243])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A189B43D45
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat, 11 Sep 2004 17:03:27 +0000 (GMT)
	(envelope-from dan@kulesh.obluda.cz)
Received: from kulesh.obluda.cz (localhost.eunet.cz [127.0.0.1])
	by kulesh.obluda.cz (8.13.1/8.13.1) with ESMTP id i8BH3ENP002459
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat, 11 Sep 2004 19:03:15 +0200 (CEST)
	(envelope-from dan@kulesh.obluda.cz)
Received: (from root@localhost)
	by kulesh.obluda.cz (8.13.1/8.13.1/Submit) id i8BH3EMm002458;
	Sat, 11 Sep 2004 19:03:14 +0200 (CEST)
	(envelope-from dan)
Message-Id: <200409111703.i8BH3EMm002458@kulesh.obluda.cz>
Date: Sat, 11 Sep 2004 19:03:14 +0200 (CEST)
From: Dan Lukes <dan@obluda.cz>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: bin/71602: [PATCH] uninitialized "len" used instead of "slen"
	within usr.sbin/setkey code
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Dan Lukes <dan@obluda.cz>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Sep 2004 17:10:18 -0000


>Number:         71602
>Category:       bin
>Synopsis:       [PATCH] uninitialized "len" used instead of "slen" within usr.sbin/setkey code
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Sep 11 17:10:17 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Dan Lukes
>Release:        FreeBSD 5.3-BETA3 i386
>Organization:
Obludarium
>Environment:
System: FreeBSD kulesh.obluda.cz 5.3-BETA3 FreeBSD 5.3-BETA3 #8: Sun Sep 5 07:06:40 CEST 2004 dan@kulesh.obluda.cz:/usr/obj/usr/src/sys/Dan i386
$FreeBSD: usr.sbin/setkey/parse.y,v 1.7 2004/05/13 15:46:28 ume
$FreeBSD: usr.sbin/setkey/Makefile,v 1.11 2003/11/05 09:47:54 ume

>Description:
usr.sbin/setkey/parse.y:992: warning: 'len' might be used uninitialized in this function
* This warning point to true error as there should not be used uninitialized 'len'
* but 'slen' variable

usr.sbin/setkey/parse.y:1186: warning: 'p2' might be used uninitialized in this function
* This warning point to real error as p2 can be used uninitialised
* really. There are other error also near it - 'p' is incremented, but 'l'
* not.

In advance, I'm eliminating those warnings:
usr.sbin/setkey/parse.y:1023: warning: dereferencing type-punned pointer will break strict-aliasing rules
usr.sbin/setkey/parse.y:1039: warning: dereferencing type-punned pointer will break strict-aliasing rules

>How-To-Repeat:
	N/A
>Fix:
*** usr.sbin/setkey/Makefile.ORIG	Fri Nov 14 03:55:16 2003
--- usr.sbin/setkey/Makefile	Tue Sep  7 19:35:13 2004
***************
*** 31,37 ****
  MAN=	setkey.8
  SRCS=	setkey.c parse.y token.l
  
! CFLAGS+= -I${.CURDIR} -I${.CURDIR}/../../lib/libipsec
  YFLAGS=	-d
  
  DPADD=	${LIBL} ${LIBY}
--- 31,37 ----
  MAN=	setkey.8
  SRCS=	setkey.c parse.y token.l
  
! CFLAGS+= -I${.CURDIR} -I${.CURDIR}/../../lib/libipsec -fno-strict-aliasing
  YFLAGS=	-d
  
  DPADD=	${LIBL} ${LIBY}
*** usr.sbin/setkey/parse.y.ORIG	Tue May 18 22:20:16 2004
--- usr.sbin/setkey/parse.y	Tue Sep  7 19:56:37 2004
***************
*** 1053,1059 ****
  		m_lt.sadb_lifetime_usetime = 0;
  
  		memcpy(buf + l, &m_lt, slen);
! 		l += len;
  	}
  
  	/* set lifetime for SOFT */
--- 1053,1059 ----
  		m_lt.sadb_lifetime_usetime = 0;
  
  		memcpy(buf + l, &m_lt, slen);
! 		l += slen;
  	}
  
  	/* set lifetime for SOFT */
***************
*** 1069,1075 ****
  		m_lt.sadb_lifetime_usetime = 0;
  
  		memcpy(buf + l, &m_lt, slen);
! 		l += len;
  	}
  
  	len = sizeof(struct sadb_sa);
--- 1069,1075 ----
  		m_lt.sadb_lifetime_usetime = 0;
  
  		memcpy(buf + l, &m_lt, slen);
! 		l += slen;
  	}
  
  	len = sizeof(struct sadb_sa);
***************
*** 1195,1203 ****
  		if (*p == ',') {
  			*p = '\0';
  			p2 = ++p;
  		}
- 		for (p = p2; *p != '\0' && l < spec->len; p++, l++)
- 			;
  		if (*p != '\0' || *p2 == '\0') {
  			yyerror("invalid an upper layer protocol spec");
  			return -1;
--- 1195,1206 ----
  		if (*p == ',') {
  			*p = '\0';
  			p2 = ++p;
+ 			l++;
+ 			for (; *p != '\0' && l < spec->len; p++, l++)
+ 				;
+ 		} else {
+ 			p2 = "0";
  		}
  		if (*p != '\0' || *p2 == '\0') {
  			yyerror("invalid an upper layer protocol spec");
  			return -1;
>Release-Note:
>Audit-Trail:
>Unformatted: