svn commit: r298665 - head/sys/dev/aacraid

Oliver Pinter oliver.pinter at hardenedbsd.org
Tue May 3 19:00:12 UTC 2016 

On 4/26/16, Conrad E. Meyer <cem at freebsd.org> wrote:
> Author: cem
> Date: Tue Apr 26 20:59:21 2016
> New Revision: 298665
> URL: https://svnweb.freebsd.org/changeset/base/298665
>
> Log:
>   aacraid(4): Fix some mostly trivial buffer overruns
>
>   strcpy(3) emits a trailing nul byte, trampling fields after the intended
>   destination.  Instead, use strncpy(3), intentionally leaving these fields
>   not nul-terminated.
>
>   Reported by:	Coverity
>   CIDs:		1031024, 1305463, 1305494, 1305545
>   Sponsored by:	EMC / Isilon Storage Division
>
> Modified:
>   head/sys/dev/aacraid/aacraid_cam.c
>
> Modified: head/sys/dev/aacraid/aacraid_cam.c
> ==============================================================================
> --- head/sys/dev/aacraid/aacraid_cam.c	Tue Apr 26 20:36:32 2016	(r298664)
> +++ head/sys/dev/aacraid/aacraid_cam.c	Tue Apr 26 20:59:21 2016	(r298665)
> @@ -568,9 +568,11 @@ aac_container_special_command(struct cam
>  				p->additional_length = 31;
>  				p->flags = SID_WBus16|SID_Sync|SID_CmdQue;
>  				/* OEM Vendor defines */
> -				strcpy(p->vendor,"Adaptec ");
> -				strcpy(p->product,"Array           ");
> -				strcpy(p->revision,"V1.0");
> +				strncpy(p->vendor, "Adaptec ", sizeof(p->vendor));
> +				strncpy(p->product, "Array           ",
> +				    sizeof(p->product));
> +				strncpy(p->revision, "V1.0",
> +				    sizeof(p->revision));

strlcpy instead or adjust the p->vendors size?

New defect(s) Reported-by: Coverity Scan
Showing 4 of 4 defect(s)


** CID 125792:    (BUFFER_SIZE)
/sys/dev/aacraid/aacraid_cam.c: 574 in aac_container_special_command()
/sys/dev/aacraid/aacraid_cam.c: 576 in aac_container_special_command()
/sys/dev/aacraid/aacraid_cam.c: 573 in aac_container_special_command()


________________________________________________________________________________________________________
*** CID 125792:    (BUFFER_SIZE)
/sys/dev/aacraid/aacraid_cam.c: 574 in aac_container_special_command()
568                             p->response_format = 2;
569                             if (ccb->csio.dxfer_len >= 36) {
570                                     p->additional_length = 31;
571                                     p->flags =
SID_WBus16|SID_Sync|SID_CmdQue;
572                                     /* OEM Vendor defines */
573                                     strncpy(p->vendor, "Adaptec ",
sizeof(p->vendor));
>>>     CID 125792:    (BUFFER_SIZE)
>>>     Calling strncpy with a source string whose length (16 chars) is greater than or equal to the size argument (16) will fail to null-terminate "p->product".
574                                     strncpy(p->product, "Array           ",
575                                         sizeof(p->product));
576                                     strncpy(p->revision, "V1.0",
577                                         sizeof(p->revision));
578                             }
579                     } else {
/sys/dev/aacraid/aacraid_cam.c: 576 in aac_container_special_command()
570                                     p->additional_length = 31;
571                                     p->flags =
SID_WBus16|SID_Sync|SID_CmdQue;
572                                     /* OEM Vendor defines */
573                                     strncpy(p->vendor, "Adaptec ",
sizeof(p->vendor));
574                                     strncpy(p->product, "Array           ",
575                                         sizeof(p->product));
>>>     CID 125792:    (BUFFER_SIZE)
>>>     Calling strncpy with a source string whose length (4 chars) is greater than or equal to the size argument (4) will fail to null-terminate "p->revision".
576                                     strncpy(p->revision, "V1.0",
577                                         sizeof(p->revision));
578                             }
579                     } else {
580                             if (inq->page_code ==
SVPD_SUPPORTED_PAGE_LIST) {
581                                     struct scsi_vpd_supported_page_list *p =
/sys/dev/aacraid/aacraid_cam.c: 573 in aac_container_special_command()
567                             p->version = SCSI_REV_SPC2;
568                             p->response_format = 2;
569                             if (ccb->csio.dxfer_len >= 36) {
570                                     p->additional_length = 31;
571                                     p->flags =
SID_WBus16|SID_Sync|SID_CmdQue;
572                                     /* OEM Vendor defines */
>>>     CID 125792:    (BUFFER_SIZE)
>>>     Calling strncpy with a source string whose length (8 chars) is greater than or equal to the size argument (8) will fail to null-terminate "p->vendor".
573                                     strncpy(p->vendor, "Adaptec ",
sizeof(p->vendor));
574                                     strncpy(p->product, "Array           ",
575                                         sizeof(p->product));
576                                     strncpy(p->revision, "V1.0",
577                                         sizeof(p->revision));
578                             }


>  			}	
>  		} else {
>  			if (inq->page_code == SVPD_SUPPORTED_PAGE_LIST) {
> _______________________________________________
> svn-src-head at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/svn-src-head
> To unsubscribe, send any mail to "svn-src-head-unsubscribe at freebsd.org"
>

More information about the svn-src-head mailing list