Site Navigation

Date:      Fri, 6 Dec 2019 00:24:32 +0000 (UTC)
From:      Alan Somers <asomers@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org
Subject:   svn commit: r355432 - stable/12/usr.sbin/sesutil
Message-ID:  <201912060024.xB60OWo0071309@repo.freebsd.org>

---

next in thread | raw e-mail | index | archive | help

---

Author: asomers
Date: Fri Dec  6 00:24:31 2019
New Revision: 355432
URL: https://svnweb.freebsd.org/changeset/base/355432

Log:
  MFC r354664-r354666
  
  r354664:
  sesutil: fix an out-of-bounds array access
  
  sesutil would allow the user to toggle an LED that was one past the maximum
  element.  If he tried, ENCIOC_GETELMSTAT would return EINVAL.
  
  Reported by:	Coverity
  Coverity CID:	1398940
  Sponsored by:	Axcient
  
  r354665:
  sesutil: fix some memory leaks
  
  Reported by:	Coverity
  Coverity CID:	1331665
  Sponsored by:	Axcient
  
  r354666:
  sesutil: fix another memory leak
  
  Instead of calloc()ing (and forgetting to free) in a tight loop, just put
  this small array on the stack.
  
  Reported by:	Coverity
  Coverity CID:	1331665
  Sponsored by:	Axcient

Modified:
  stable/12/usr.sbin/sesutil/sesutil.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/usr.sbin/sesutil/sesutil.c
==============================================================================
--- stable/12/usr.sbin/sesutil/sesutil.c	Fri Dec  6 00:12:14 2019	(r355431)
+++ stable/12/usr.sbin/sesutil/sesutil.c	Fri Dec  6 00:24:31 2019	(r355432)
@@ -242,35 +242,38 @@ sesled(int argc, char **argv, bool setfault)
 		}
 
 		if (ioctl(fd, ENCIOC_GETELMMAP, (caddr_t) objp) < 0) {
+			free(objp);
 			close(fd);
 			xo_err(EXIT_FAILURE, "ENCIOC_GETELMMAP");
 		}
 
 		if (isses) {
-			if (sesid > nobj) {
+			if (sesid >= nobj) {
+				free(objp);
 				close(fd);
 				xo_errx(EXIT_FAILURE,
 				     "Requested SES ID does not exist");
 			}
 			do_led(fd, sesid, objp[sesid].elm_type, onoff, setfault);
 			ndisks++;
+			free(objp);
 			close(fd);
 			break;
 		}
 		for (j = 0; j < nobj; j++) {
+			const int devnames_size = 128;
+			char devnames[devnames_size];
+
 			if (all) {
 				do_led(fd, objp[j].elm_idx, objp[j].elm_type,
 				    onoff, setfault);
 				continue;
 			}
 			memset(&objdn, 0, sizeof(objdn));
+			memset(devnames, 0, devnames_size);
 			objdn.elm_idx = objp[j].elm_idx;
-			objdn.elm_names_size = 128;
-			objdn.elm_devnames = calloc(128, sizeof(char));
-			if (objdn.elm_devnames == NULL) {
-				close(fd);
-				xo_err(EXIT_FAILURE, "calloc()");
-			}
+			objdn.elm_names_size = devnames_size;
+			objdn.elm_devnames = devnames;
 			if (ioctl(fd, ENCIOC_GETELMDEVNAMES,
 			    (caddr_t) &objdn) <0) {
 				continue;

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201912060024.xB60OWo0071309>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact