Date: Fri, 6 Dec 2019 00:24:32 +0000 (UTC) From: Alan Somers <asomers@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r355432 - stable/12/usr.sbin/sesutil Message-ID: <201912060024.xB60OWo0071309@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: asomers Date: Fri Dec 6 00:24:31 2019 New Revision: 355432 URL: https://svnweb.freebsd.org/changeset/base/355432 Log: MFC r354664-r354666 r354664: sesutil: fix an out-of-bounds array access sesutil would allow the user to toggle an LED that was one past the maximum element. If he tried, ENCIOC_GETELMSTAT would return EINVAL. Reported by: Coverity Coverity CID: 1398940 Sponsored by: Axcient r354665: sesutil: fix some memory leaks Reported by: Coverity Coverity CID: 1331665 Sponsored by: Axcient r354666: sesutil: fix another memory leak Instead of calloc()ing (and forgetting to free) in a tight loop, just put this small array on the stack. Reported by: Coverity Coverity CID: 1331665 Sponsored by: Axcient Modified: stable/12/usr.sbin/sesutil/sesutil.c Directory Properties: stable/12/ (props changed) Modified: stable/12/usr.sbin/sesutil/sesutil.c ============================================================================== --- stable/12/usr.sbin/sesutil/sesutil.c Fri Dec 6 00:12:14 2019 (r355431) +++ stable/12/usr.sbin/sesutil/sesutil.c Fri Dec 6 00:24:31 2019 (r355432) @@ -242,35 +242,38 @@ sesled(int argc, char **argv, bool setfault) } if (ioctl(fd, ENCIOC_GETELMMAP, (caddr_t) objp) < 0) { + free(objp); close(fd); xo_err(EXIT_FAILURE, "ENCIOC_GETELMMAP"); } if (isses) { - if (sesid > nobj) { + if (sesid >= nobj) { + free(objp); close(fd); xo_errx(EXIT_FAILURE, "Requested SES ID does not exist"); } do_led(fd, sesid, objp[sesid].elm_type, onoff, setfault); ndisks++; + free(objp); close(fd); break; } for (j = 0; j < nobj; j++) { + const int devnames_size = 128; + char devnames[devnames_size]; + if (all) { do_led(fd, objp[j].elm_idx, objp[j].elm_type, onoff, setfault); continue; } memset(&objdn, 0, sizeof(objdn)); + memset(devnames, 0, devnames_size); objdn.elm_idx = objp[j].elm_idx; - objdn.elm_names_size = 128; - objdn.elm_devnames = calloc(128, sizeof(char)); - if (objdn.elm_devnames == NULL) { - close(fd); - xo_err(EXIT_FAILURE, "calloc()"); - } + objdn.elm_names_size = devnames_size; + objdn.elm_devnames = devnames; if (ioctl(fd, ENCIOC_GETELMDEVNAMES, (caddr_t) &objdn) <0) { continue;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201912060024.xB60OWo0071309>