[Bug 203644] makefs: Coverity CID 974635, 974636: Copying several struct elements by single memcpy().
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu Oct 8 18:33:23 UTC 2015
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203644
Bug ID: 203644
Summary: makefs: Coverity CID 974635, 974636: Copying several
struct elements by single memcpy().
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: freebsd-bugs at FreeBSD.org
Reporter: scdbackup at gmx.net
usr.sbin/makefs/ffs/ffs_bswap.c
CID 974635 : Destination buffer too small (BUFFER_SIZE)
10. buffer_size: You might overrun the 48 byte destination
string n->di_db by writing the maximum 60 bytes from o->di_db.
138 memcpy(n->di_db, o->di_db, (NDADDR + NIADDR) * sizeof(u_int32_t));
CID 974636 : Destination buffer too small (BUFFER_SIZE)
20. buffer_size: You might overrun the 16 byte destination string
n->di_extb by writing the maximum 136 bytes from o->di_extb.
168 memcpy(n->di_extb, o->di_extb, (NXADDR + NDADDR + NIADDR) * 8);
--------------- Source analysis:
sys/ufs/ufs/dinode.h defines
typedef int32_t ufs1_daddr_t;
...
struct ufs1_dinode {
...
ufs1_daddr_t di_db[NDADDR]; /* 40: Direct disk blocks. */
ufs1_daddr_t di_ib[NIADDR]; /* 88: Indirect disk blocks. */
...
So both arrays get copied in one memcpy() operation.
Same with CID 974636:
typedef int64_t ufs2_daddr_t;
...
struct ufs2_dinode {
...
ufs2_daddr_t di_extb[NXADDR];/* 96: External attributes block. */
ufs2_daddr_t di_db[NDADDR]; /* 112: Direct disk blocks. */
ufs2_daddr_t di_ib[NIADDR]; /* 208: Indirect disk blocks. */
Three arrays, one memcpy().
--------------- Remedy proposal:
One should consider to use two or three separate memcpy() calls.
(I cannot judge whether the alignment of 40 and 88 needs
padding bytes on any architecture.)
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list