Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 08 Oct 2015 18:33:23 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 203644] makefs: Coverity CID 974635, 974636: Copying several struct elements by single memcpy().
Message-ID:  <bug-203644-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203644

            Bug ID: 203644
           Summary: makefs: Coverity CID 974635, 974636: Copying several
                    struct elements by single memcpy().
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: scdbackup@gmx.net

usr.sbin/makefs/ffs/ffs_bswap.c

CID 974635 : Destination buffer too small (BUFFER_SIZE)
  10. buffer_size: You might overrun the 48 byte destination
  string n->di_db by writing the maximum 60 bytes from o->di_db.

138        memcpy(n->di_db, o->di_db, (NDADDR + NIADDR) * sizeof(u_int32_t));

CID 974636 : Destination buffer too small (BUFFER_SIZE)
  20. buffer_size: You might overrun the 16 byte destination string
  n->di_extb by writing the maximum 136 bytes from o->di_extb.

168        memcpy(n->di_extb, o->di_extb, (NXADDR + NDADDR + NIADDR) * 8);

--------------- Source analysis:

sys/ufs/ufs/dinode.h defines

  typedef int32_t ufs1_daddr_t;
  ...
  struct ufs1_dinode {
          ...
          ufs1_daddr_t di_db[NDADDR]; /* 40: Direct disk blocks. */
          ufs1_daddr_t di_ib[NIADDR]; /* 88: Indirect disk blocks. */
          ...

So both arrays get copied in one memcpy() operation.

Same with CID 974636:

  typedef int64_t ufs2_daddr_t;
  ...
  struct ufs2_dinode {
          ...
          ufs2_daddr_t di_extb[NXADDR];/* 96: External attributes block. */
          ufs2_daddr_t di_db[NDADDR]; /* 112: Direct disk blocks. */
          ufs2_daddr_t di_ib[NIADDR]; /* 208: Indirect disk blocks. */

Three arrays, one memcpy().

--------------- Remedy proposal:

One should consider to use two or three separate memcpy() calls.
(I cannot judge whether the alignment of 40 and 88 needs
 padding bytes on any architecture.)

-- 
You are receiving this mail because:
You are the assignee for the bug.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-203644-8>