Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 09 Nov 2000 22:09:32 +0000
From:      Tony Finch <dot@dotat.at>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   bin/22727: disklabel crashes if the number of partitions equals MAXPARTITIONS
Message-ID:  <E13tzsy-0002L8-00@hand.dotat.at>
next in thread | raw e-mail | index | archive | help 

>Number:         22727
>Category:       bin
>Synopsis:       disklabel crashes if the number of partitions equals MAXPARTITIONS
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov 09 14:10:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Tony Finch <dot@dotat.at>
>Release:        FreeBSD 4.2-BETA-20001104 i386
>Organization:
dotat
>Environment:

FreeBSD hand.dotat.at 4.2-BETA-20001104 FreeBSD 4.2-BETA-20001104 #0: Sat Nov  4 22:44:50 UTC 2000     fanf@hand.dotat.at:/FreeBSD/obj/FreeBSD/releng4/sys/DELL-Latitude-CPx  i386

8 partitions:
#        size   offset    fstype   [fsize bsize bps/cpg]
  a:  1606500        0    4.2BSD     1024  8192    16   # (Cyl.    0 - 99)
  b:  1606500  1606500      swap                        # (Cyl.  100 - 199)
  c: 23567292        0    unused        0     0         # (Cyl.    0 - 1466*)
  e:  1606500  3213000    4.2BSD     1024  8192    16   # (Cyl.  200 - 299)
  f:  8032500  4819500    4.2BSD     1024  8192    16   # (Cyl.  300 - 799)
  g:  1606500 12852000   ISO9660                        # (Cyl.  800 - 899)
  h:  1606500 14458500    4.2BSD     1024  8192    16   # (Cyl.  900 - 999)

>Description:

I tried to add another partition to the above configuration and I gave it the
letter 'i'. When I quit the editor, disklabel died from a segmentation fault
on line 841 of disklabel.c because the variable lp had been corrupted. I worked
out that this occurred in getasciilabel() because of an off-by-one error.

While I am here I note that disklabel handles editing the file in a way similar
to the way that crontab used to, until a vulnerability was found recently. I
don't know if it could cause problems, though.

>How-To-Repeat:


>Fix:


Index: disklabel.c
===================================================================
RCS file: /home/ncvs/src/sbin/disklabel/disklabel.c,v
retrieving revision 1.28.2.5
diff -u -r1.28.2.5 disklabel.c
--- disklabel.c	2000/10/31 01:32:23	1.28.2.5
+++ disklabel.c	2000/11/09 22:00:23
@@ -1141,7 +1141,7 @@
 		if ('a' <= *cp && *cp <= 'z' && cp[1] == '\0') {
 			unsigned part = *cp - 'a';
 
-			if (part > lp->d_npartitions) {
+			if (part >= lp->d_npartitions) {
 				fprintf(stderr,
 				    "line %d: bad partition name\n", lineno);
 				errors++;

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E13tzsy-0002L8-00>