From owner-svn-src-stable-12@freebsd.org Mon Feb 18 18:44:22 2019 Return-Path: Delivered-To: svn-src-stable-12@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DF31914E7EFF; Mon, 18 Feb 2019 18:44:21 +0000 (UTC) (envelope-from brooks@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 84970806B1; Mon, 18 Feb 2019 18:44:21 +0000 (UTC) (envelope-from brooks@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 783409DD7; Mon, 18 Feb 2019 18:44:21 +0000 (UTC) (envelope-from brooks@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x1IIiLk8069569; Mon, 18 Feb 2019 18:44:21 GMT (envelope-from brooks@FreeBSD.org) Received: (from brooks@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x1IIiLW3069568; Mon, 18 Feb 2019 18:44:21 GMT (envelope-from brooks@FreeBSD.org) Message-Id: <201902181844.x1IIiLW3069568@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: brooks set sender to brooks@FreeBSD.org using -f From: Brooks Davis Date: Mon, 18 Feb 2019 18:44:21 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r344262 - stable/12/sbin/mdmfs X-SVN-Group: stable-12 X-SVN-Commit-Author: brooks X-SVN-Commit-Paths: stable/12/sbin/mdmfs X-SVN-Commit-Revision: 344262 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 84970806B1 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.96 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.96)[-0.963,0]; NEURAL_HAM_LONG(-1.00)[-0.999,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-stable-12@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 12-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2019 18:44:22 -0000 Author: brooks Date: Mon Feb 18 18:44:20 2019 New Revision: 344262 URL: https://svnweb.freebsd.org/changeset/base/344262 Log: MFC r344023: mdmfs: Fix many bugs in automatic md(4) creation. This code allocated a correctly sized buffer, read past the end of the source buffer, writing off the end of the target buffer, and then writing a '\0' terminator past the end of the target buffer (in the wrong place). It then leaked the buffer. Switch to a statically sized buffer on the stack and update the source pointer and length before use so the correct things are copied. Fix a logic error in the checks that the format of the line is as expected and move on out of an assert. Remove an unneeded close(). fclose() closes the descriptor. Found with: CheriABI Obtained from: CheriBSD Reviewed by: kib, jhb, markj Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D19122 Modified: stable/12/sbin/mdmfs/mdmfs.c Directory Properties: stable/12/ (props changed) Modified: stable/12/sbin/mdmfs/mdmfs.c ============================================================================== --- stable/12/sbin/mdmfs/mdmfs.c Mon Feb 18 18:34:13 2019 (r344261) +++ stable/12/sbin/mdmfs/mdmfs.c Mon Feb 18 18:44:20 2019 (r344262) @@ -441,7 +441,8 @@ static void do_mdconfig_attach_au(const char *args, const enum md_types mdtype) { const char *ta; /* Type arg. */ - char *linep, *linebuf; /* Line pointer, line buffer. */ + char *linep; + char linebuf[12]; /* 32-bit unit (10) + '\n' (1) + '\0' (1) */ int fd; /* Standard output of mdconfig invocation. */ FILE *sfd; int rv; @@ -475,14 +476,15 @@ do_mdconfig_attach_au(const char *args, const enum md_ if (sfd == NULL) err(1, "fdopen"); linep = fgetln(sfd, &linelen); - if (linep == NULL && linelen < mdnamelen + 1) - errx(1, "unexpected output from mdconfig (attach)"); /* If the output format changes, we want to know about it. */ - assert(strncmp(linep, mdname, mdnamelen) == 0); - linebuf = malloc(linelen - mdnamelen + 1); - assert(linebuf != NULL); + if (linep == NULL || linelen <= mdnamelen + 1 || + linelen - mdnamelen >= sizeof(linebuf) || + strncmp(linep, mdname, mdnamelen) != 0) + errx(1, "unexpected output from mdconfig (attach)"); + linep += mdnamelen; + linelen -= mdnamelen; /* Can't use strlcpy because linep is not NULL-terminated. */ - strncpy(linebuf, linep + mdnamelen, linelen); + strncpy(linebuf, linep, linelen); linebuf[linelen] = '\0'; ul = strtoul(linebuf, &p, 10); if (ul == ULONG_MAX || *p != '\n') @@ -490,7 +492,6 @@ do_mdconfig_attach_au(const char *args, const enum md_ unit = ul; fclose(sfd); - close(fd); } /*