svn commit: r359198 - stable/11/usr.sbin/sesutil

Sat, 21 Mar 2020 18:01:55 -0700 

Author: asomers
Date: Sun Mar 22 01:01:47 2020
New Revision: 359198
URL: https://svnweb.freebsd.org/changeset/base/359198

Log:
  MFC r354664-r354666
  
  r354664:
  sesutil: fix an out-of-bounds array access
  
  sesutil would allow the user to toggle an LED that was one past the maximum
  element.  If he tried, ENCIOC_GETELMSTAT would return EINVAL.
  
  Reported by:  Coverity
  Coverity CID: 1398940
  Sponsored by: Axcient
  
  r354665:
  sesutil: fix some memory leaks
  
  Reported by:  Coverity
  Coverity CID: 1331665
  Sponsored by: Axcient
  
  r354666:
  sesutil: fix another memory leak
  
  Instead of calloc()ing (and forgetting to free) in a tight loop, just put
  this small array on the stack.
  
  Reported by:  Coverity
  Coverity CID: 1331665
  Sponsored by: Axcient

Modified:
  stable/11/usr.sbin/sesutil/sesutil.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/usr.sbin/sesutil/sesutil.c
==============================================================================
--- stable/11/usr.sbin/sesutil/sesutil.c        Sat Mar 21 19:13:22 2020        
(r359197)
+++ stable/11/usr.sbin/sesutil/sesutil.c        Sun Mar 22 01:01:47 2020        
(r359198)
@@ -242,35 +242,38 @@ sesled(int argc, char **argv, bool setfault)
                }
 
                if (ioctl(fd, ENCIOC_GETELMMAP, (caddr_t) objp) < 0) {
+                       free(objp);
                        close(fd);
                        xo_err(EXIT_FAILURE, "ENCIOC_GETELMMAP");
                }
 
                if (isses) {
-                       if (sesid > nobj) {
+                       if (sesid >= nobj) {
+                               free(objp);
                                close(fd);
                                xo_errx(EXIT_FAILURE,
                                     "Requested SES ID does not exist");
                        }
                        do_led(fd, sesid, objp[sesid].elm_type, onoff, 
setfault);
                        ndisks++;
+                       free(objp);
                        close(fd);
                        break;
                }
                for (j = 0; j < nobj; j++) {
+                       const int devnames_size = 128;
+                       char devnames[devnames_size];
+
                        if (all) {
                                do_led(fd, objp[j].elm_idx, objp[j].elm_type,
                                    onoff, setfault);
                                continue;
                        }
                        memset(&objdn, 0, sizeof(objdn));
+                       memset(devnames, 0, devnames_size);
                        objdn.elm_idx = objp[j].elm_idx;
-                       objdn.elm_names_size = 128;
-                       objdn.elm_devnames = calloc(128, sizeof(char));
-                       if (objdn.elm_devnames == NULL) {
-                               close(fd);
-                               xo_err(EXIT_FAILURE, "calloc()");
-                       }
+                       objdn.elm_names_size = devnames_size;
+                       objdn.elm_devnames = devnames;
                        if (ioctl(fd, ENCIOC_GETELMDEVNAMES,
                            (caddr_t) &objdn) <0) {
                                continue;
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to