FYI this bug is still present in your btpand. Jess
> Begin forwarded message: > > From: Jessica Clarke <jrt...@freebsd.org> > Subject: git: fbfdf57d65be - main - Fix off-by-one bug in btpand > Date: 3 June 2024 at 20:31:02 BST > To: src-committ...@freebsd.org, dev-commits-src-...@freebsd.org, > dev-commits-src-m...@freebsd.org > > The branch main has been updated by jrtc27: > > URL: > https://cgit.FreeBSD.org/src/commit/?id=fbfdf57d65bedfab28f9debc8a4a8d6802f9338a > > commit fbfdf57d65bedfab28f9debc8a4a8d6802f9338a > Author: Dapeng Gao <dg...@cam.ac.uk> > AuthorDate: 2024-06-03 19:30:36 +0000 > Commit: Jessica Clarke <jrt...@freebsd.org> > CommitDate: 2024-06-03 19:30:36 +0000 > > Fix off-by-one bug in btpand > > `ul` reaches `__arraycount(services)` before the bound-check happens, > causing undefined behaviour. > > Reviewed by: imp, jrtc27 > Fixes: 7718ced0ea98 ("Add btpand(8) daemon from NetBSD.") > MFC after: 1 week > Differential Revision: https://reviews.freebsd.org/D45463 > --- > usr.sbin/bluetooth/btpand/btpand.c | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) > > diff --git a/usr.sbin/bluetooth/btpand/btpand.c > b/usr.sbin/bluetooth/btpand/btpand.c > index d4bc15823290..f0b29837188f 100644 > --- a/usr.sbin/bluetooth/btpand/btpand.c > +++ b/usr.sbin/bluetooth/btpand/btpand.c > @@ -143,11 +143,14 @@ main(int argc, char *argv[]) > > case 's': /* service */ > case 'S': /* service (no SDP) */ > - for (ul = 0; strcasecmp(optarg, services[ul].name); ul++) { > - if (ul == __arraycount(services)) > - errx(EXIT_FAILURE, "%s: unknown service", optarg); > + for (ul = 0; ul < __arraycount(services); ul++) { > + if (strcasecmp(optarg, services[ul].name) == 0) > + break; > } > > + if (ul == __arraycount(services)) > + errx(EXIT_FAILURE, "%s: unknown service", optarg); > + > if (ch == 's') > service_name = services[ul].name; >
