svn commit: r298665 - head/sys/dev/aacraid
Oliver Pinter
oliver.pinter at hardenedbsd.org
Tue May 3 19:00:12 UTC 2016
On 4/26/16, Conrad E. Meyer <cem at freebsd.org> wrote:
> Author: cem
> Date: Tue Apr 26 20:59:21 2016
> New Revision: 298665
> URL: https://svnweb.freebsd.org/changeset/base/298665
>
> Log:
> aacraid(4): Fix some mostly trivial buffer overruns
>
> strcpy(3) emits a trailing nul byte, trampling fields after the intended
> destination. Instead, use strncpy(3), intentionally leaving these fields
> not nul-terminated.
>
> Reported by: Coverity
> CIDs: 1031024, 1305463, 1305494, 1305545
> Sponsored by: EMC / Isilon Storage Division
>
> Modified:
> head/sys/dev/aacraid/aacraid_cam.c
>
> Modified: head/sys/dev/aacraid/aacraid_cam.c
> ==============================================================================
> --- head/sys/dev/aacraid/aacraid_cam.c Tue Apr 26 20:36:32 2016 (r298664)
> +++ head/sys/dev/aacraid/aacraid_cam.c Tue Apr 26 20:59:21 2016 (r298665)
> @@ -568,9 +568,11 @@ aac_container_special_command(struct cam
> p->additional_length = 31;
> p->flags = SID_WBus16|SID_Sync|SID_CmdQue;
> /* OEM Vendor defines */
> - strcpy(p->vendor,"Adaptec ");
> - strcpy(p->product,"Array ");
> - strcpy(p->revision,"V1.0");
> + strncpy(p->vendor, "Adaptec ", sizeof(p->vendor));
> + strncpy(p->product, "Array ",
> + sizeof(p->product));
> + strncpy(p->revision, "V1.0",
> + sizeof(p->revision));
strlcpy instead or adjust the p->vendors size?
New defect(s) Reported-by: Coverity Scan
Showing 4 of 4 defect(s)
** CID 125792: (BUFFER_SIZE)
/sys/dev/aacraid/aacraid_cam.c: 574 in aac_container_special_command()
/sys/dev/aacraid/aacraid_cam.c: 576 in aac_container_special_command()
/sys/dev/aacraid/aacraid_cam.c: 573 in aac_container_special_command()
________________________________________________________________________________________________________
*** CID 125792: (BUFFER_SIZE)
/sys/dev/aacraid/aacraid_cam.c: 574 in aac_container_special_command()
568 p->response_format = 2;
569 if (ccb->csio.dxfer_len >= 36) {
570 p->additional_length = 31;
571 p->flags =
SID_WBus16|SID_Sync|SID_CmdQue;
572 /* OEM Vendor defines */
573 strncpy(p->vendor, "Adaptec ",
sizeof(p->vendor));
>>> CID 125792: (BUFFER_SIZE)
>>> Calling strncpy with a source string whose length (16 chars) is greater than or equal to the size argument (16) will fail to null-terminate "p->product".
574 strncpy(p->product, "Array ",
575 sizeof(p->product));
576 strncpy(p->revision, "V1.0",
577 sizeof(p->revision));
578 }
579 } else {
/sys/dev/aacraid/aacraid_cam.c: 576 in aac_container_special_command()
570 p->additional_length = 31;
571 p->flags =
SID_WBus16|SID_Sync|SID_CmdQue;
572 /* OEM Vendor defines */
573 strncpy(p->vendor, "Adaptec ",
sizeof(p->vendor));
574 strncpy(p->product, "Array ",
575 sizeof(p->product));
>>> CID 125792: (BUFFER_SIZE)
>>> Calling strncpy with a source string whose length (4 chars) is greater than or equal to the size argument (4) will fail to null-terminate "p->revision".
576 strncpy(p->revision, "V1.0",
577 sizeof(p->revision));
578 }
579 } else {
580 if (inq->page_code ==
SVPD_SUPPORTED_PAGE_LIST) {
581 struct scsi_vpd_supported_page_list *p =
/sys/dev/aacraid/aacraid_cam.c: 573 in aac_container_special_command()
567 p->version = SCSI_REV_SPC2;
568 p->response_format = 2;
569 if (ccb->csio.dxfer_len >= 36) {
570 p->additional_length = 31;
571 p->flags =
SID_WBus16|SID_Sync|SID_CmdQue;
572 /* OEM Vendor defines */
>>> CID 125792: (BUFFER_SIZE)
>>> Calling strncpy with a source string whose length (8 chars) is greater than or equal to the size argument (8) will fail to null-terminate "p->vendor".
573 strncpy(p->vendor, "Adaptec ",
sizeof(p->vendor));
574 strncpy(p->product, "Array ",
575 sizeof(p->product));
576 strncpy(p->revision, "V1.0",
577 sizeof(p->revision));
578 }
> }
> } else {
> if (inq->page_code == SVPD_SUPPORTED_PAGE_LIST) {
> _______________________________________________
> svn-src-head at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/svn-src-head
> To unsubscribe, send any mail to "svn-src-head-unsubscribe at freebsd.org"
>
More information about the svn-src-head
mailing list