svn commit: r293193 - head/sys/dev/asmc

Ulrich Spoerlein uqs at FreeBSD.org
Tue Jan 5 10:25:24 UTC 2016


Author: uqs
Date: Tue Jan  5 10:25:22 2016
New Revision: 293193
URL: https://svnweb.freebsd.org/changeset/base/293193

Log:
  Fix undefined behavior when using asmc_fan_getstring()
  
  It was returning a pointer to stack-allocated memory, so make the
  allocation at the caller instead.
  
  Found by:	clang static analyzer
  Coverity:	CID 1245774
  Reviewed by:	ed, rpaulo
  Review URL:	https://reviews.freebsd.org/D4740

Modified:
  head/sys/dev/asmc/asmc.c

Modified: head/sys/dev/asmc/asmc.c
==============================================================================
--- head/sys/dev/asmc/asmc.c	Tue Jan  5 09:18:43 2016	(r293192)
+++ head/sys/dev/asmc/asmc.c	Tue Jan  5 10:25:22 2016	(r293193)
@@ -963,14 +963,13 @@ asmc_fan_getvalue(device_t dev, const ch
 }
 
 static char*
-asmc_fan_getstring(device_t dev, const char *key, int fan)
+asmc_fan_getstring(device_t dev, const char *key, int fan, uint8_t *buf, uint8_t buflen)
 {
-	uint8_t buf[16];
 	char fankey[5];
 	char* desc;
 
 	snprintf(fankey, sizeof(fankey), key, fan);
-	if (asmc_key_read(dev, fankey, buf, sizeof buf) < 0)
+	if (asmc_key_read(dev, fankey, buf, buflen) < 0)
 		return (NULL);
 	desc = buf+4;
 
@@ -1012,12 +1011,13 @@ asmc_mb_sysctl_fanspeed(SYSCTL_HANDLER_A
 static int
 asmc_mb_sysctl_fanid(SYSCTL_HANDLER_ARGS)
 {
+	uint8_t buf[16];
 	device_t dev = (device_t) arg1;
 	int fan = arg2;
 	int error = true;
 	char* desc;
 
-	desc = asmc_fan_getstring(dev, ASMC_KEY_FANID, fan);
+	desc = asmc_fan_getstring(dev, ASMC_KEY_FANID, fan, buf, sizeof(buf));
 
 	if (desc != NULL)
 		error = sysctl_handle_string(oidp, desc, 0, req);


More information about the svn-src-head mailing list