Date: Tue, 3 May 2016 21:00:10 +0200 From: Oliver Pinter <oliver.pinter@hardenedbsd.org> To: "Conrad E. Meyer" <cem@freebsd.org> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r298665 - head/sys/dev/aacraid Message-ID: <CAPQ4ffvro_5bV_OdH=OLBN8o1Ui%2BvCgi7kBbHjwnoMTAtbo%2B%2BQ@mail.gmail.com> In-Reply-To: <201604262059.u3QKxLDl045059@repo.freebsd.org> References: <201604262059.u3QKxLDl045059@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4/26/16, Conrad E. Meyer <cem@freebsd.org> wrote: > Author: cem > Date: Tue Apr 26 20:59:21 2016 > New Revision: 298665 > URL: https://svnweb.freebsd.org/changeset/base/298665 > > Log: > aacraid(4): Fix some mostly trivial buffer overruns > > strcpy(3) emits a trailing nul byte, trampling fields after the intended > destination. Instead, use strncpy(3), intentionally leaving these fields > not nul-terminated. > > Reported by: Coverity > CIDs: 1031024, 1305463, 1305494, 1305545 > Sponsored by: EMC / Isilon Storage Division > > Modified: > head/sys/dev/aacraid/aacraid_cam.c > > Modified: head/sys/dev/aacraid/aacraid_cam.c > ============================================================================== > --- head/sys/dev/aacraid/aacraid_cam.c Tue Apr 26 20:36:32 2016 (r298664) > +++ head/sys/dev/aacraid/aacraid_cam.c Tue Apr 26 20:59:21 2016 (r298665) > @@ -568,9 +568,11 @@ aac_container_special_command(struct cam > p->additional_length = 31; > p->flags = SID_WBus16|SID_Sync|SID_CmdQue; > /* OEM Vendor defines */ > - strcpy(p->vendor,"Adaptec "); > - strcpy(p->product,"Array "); > - strcpy(p->revision,"V1.0"); > + strncpy(p->vendor, "Adaptec ", sizeof(p->vendor)); > + strncpy(p->product, "Array ", > + sizeof(p->product)); > + strncpy(p->revision, "V1.0", > + sizeof(p->revision)); strlcpy instead or adjust the p->vendors size? New defect(s) Reported-by: Coverity Scan Showing 4 of 4 defect(s) ** CID 125792: (BUFFER_SIZE) /sys/dev/aacraid/aacraid_cam.c: 574 in aac_container_special_command() /sys/dev/aacraid/aacraid_cam.c: 576 in aac_container_special_command() /sys/dev/aacraid/aacraid_cam.c: 573 in aac_container_special_command() ________________________________________________________________________________________________________ *** CID 125792: (BUFFER_SIZE) /sys/dev/aacraid/aacraid_cam.c: 574 in aac_container_special_command() 568 p->response_format = 2; 569 if (ccb->csio.dxfer_len >= 36) { 570 p->additional_length = 31; 571 p->flags = SID_WBus16|SID_Sync|SID_CmdQue; 572 /* OEM Vendor defines */ 573 strncpy(p->vendor, "Adaptec ", sizeof(p->vendor)); >>> CID 125792: (BUFFER_SIZE) >>> Calling strncpy with a source string whose length (16 chars) is greater than or equal to the size argument (16) will fail to null-terminate "p->product". 574 strncpy(p->product, "Array ", 575 sizeof(p->product)); 576 strncpy(p->revision, "V1.0", 577 sizeof(p->revision)); 578 } 579 } else { /sys/dev/aacraid/aacraid_cam.c: 576 in aac_container_special_command() 570 p->additional_length = 31; 571 p->flags = SID_WBus16|SID_Sync|SID_CmdQue; 572 /* OEM Vendor defines */ 573 strncpy(p->vendor, "Adaptec ", sizeof(p->vendor)); 574 strncpy(p->product, "Array ", 575 sizeof(p->product)); >>> CID 125792: (BUFFER_SIZE) >>> Calling strncpy with a source string whose length (4 chars) is greater than or equal to the size argument (4) will fail to null-terminate "p->revision". 576 strncpy(p->revision, "V1.0", 577 sizeof(p->revision)); 578 } 579 } else { 580 if (inq->page_code == SVPD_SUPPORTED_PAGE_LIST) { 581 struct scsi_vpd_supported_page_list *p = /sys/dev/aacraid/aacraid_cam.c: 573 in aac_container_special_command() 567 p->version = SCSI_REV_SPC2; 568 p->response_format = 2; 569 if (ccb->csio.dxfer_len >= 36) { 570 p->additional_length = 31; 571 p->flags = SID_WBus16|SID_Sync|SID_CmdQue; 572 /* OEM Vendor defines */ >>> CID 125792: (BUFFER_SIZE) >>> Calling strncpy with a source string whose length (8 chars) is greater than or equal to the size argument (8) will fail to null-terminate "p->vendor". 573 strncpy(p->vendor, "Adaptec ", sizeof(p->vendor)); 574 strncpy(p->product, "Array ", 575 sizeof(p->product)); 576 strncpy(p->revision, "V1.0", 577 sizeof(p->revision)); 578 } > } > } else { > if (inq->page_code == SVPD_SUPPORTED_PAGE_LIST) { > _______________________________________________ > svn-src-head@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/svn-src-head > To unsubscribe, send any mail to "svn-src-head-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPQ4ffvro_5bV_OdH=OLBN8o1Ui%2BvCgi7kBbHjwnoMTAtbo%2B%2BQ>