Author: brooks Date: Thu Apr 13 15:49:32 2017 New Revision: 316766 URL: https://svnweb.freebsd.org/changeset/base/316766
Log: Correct an out of bounds read with HN_AUTOSCALE and very large numbers. The maximum scale is 6 (K, M, G, T, P, E) (B is 0). Overly large explict scales were checked correctly, but for sufficently large numbers HN_AUTOSCALE would get to 7 resulting in an out of bounds read. Found with humanize_number_test and CHERI bounds checking. Reviewed by: emaste Obtained from: CheriBSD MFC after: 1 week Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D10376 Modified: head/lib/libutil/humanize_number.c Modified: head/lib/libutil/humanize_number.c ============================================================================== --- head/lib/libutil/humanize_number.c Thu Apr 13 15:47:58 2017 (r316765) +++ head/lib/libutil/humanize_number.c Thu Apr 13 15:49:32 2017 (r316766) @@ -43,7 +43,7 @@ __FBSDID("$FreeBSD$"); #include <locale.h> #include <libutil.h> -static const int maxscale = 7; +static const int maxscale = 6; int humanize_number(char *buf, size_t len, int64_t quotient, @@ -64,7 +64,7 @@ humanize_number(char *buf, size_t len, i return (-1); if (scale < 0) return (-1); - else if (scale >= maxscale && + else if (scale > maxscale && ((scale & ~(HN_AUTOSCALE|HN_GETSCALE)) != 0)) return (-1); if ((flags & HN_DIVISOR_1000) && (flags & HN_IEC_PREFIXES)) _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
