git: fbfdf57d65be - main - Fix off-by-one bug in btpand

From: Jessica Clarke <jrtc27_at_FreeBSD.org>
Date: Mon, 03 Jun 2024 19:31:02 UTC
The branch main has been updated by jrtc27:

URL: https://cgit.FreeBSD.org/src/commit/?id=fbfdf57d65bedfab28f9debc8a4a8d6802f9338a

commit fbfdf57d65bedfab28f9debc8a4a8d6802f9338a
Author:     Dapeng Gao <dg612@cam.ac.uk>
AuthorDate: 2024-06-03 19:30:36 +0000
Commit:     Jessica Clarke <jrtc27@FreeBSD.org>
CommitDate: 2024-06-03 19:30:36 +0000

    Fix off-by-one bug in btpand
    
    `ul` reaches `__arraycount(services)` before the bound-check happens, causing undefined behaviour.
    
    Reviewed by:    imp, jrtc27
    Fixes:          7718ced0ea98 ("Add btpand(8) daemon from NetBSD.")
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D45463
---
 usr.sbin/bluetooth/btpand/btpand.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/usr.sbin/bluetooth/btpand/btpand.c b/usr.sbin/bluetooth/btpand/btpand.c
index d4bc15823290..f0b29837188f 100644
--- a/usr.sbin/bluetooth/btpand/btpand.c
+++ b/usr.sbin/bluetooth/btpand/btpand.c
@@ -143,11 +143,14 @@ main(int argc, char *argv[])
 
 		case 's': /* service */
 		case 'S': /* service (no SDP) */
-			for (ul = 0; strcasecmp(optarg, services[ul].name); ul++) {
-				if (ul == __arraycount(services))
-					errx(EXIT_FAILURE, "%s: unknown service", optarg);
+			for (ul = 0; ul < __arraycount(services); ul++) {
+				if (strcasecmp(optarg, services[ul].name) == 0)
+					break;
 			}
 
+			if (ul == __arraycount(services))
+				errx(EXIT_FAILURE, "%s: unknown service", optarg);
+
 			if (ch == 's')
 				service_name = services[ul].name;