Dear tech@,
codechecker found the following problem with fsb in sbin/mountd:
mntsrv(...)
...
struct statfs fsb;
...
if (realpath(rpcpath, dirpath) == NULL) {
bad = errno;
if (debug)
fprintf(stderr, "realpath failed on %s\n",
rpcpath);
strlcpy(dirpath, rpcpath, sizeof(dirpath));
} else if (stat(dirpath, &stb) == -1 ||
(!S_ISDIR(stb.st_mode) && !S_ISREG(stb.st_mode)) ||
statfs(dirpath, &fsb) == -1) {
if (debug)
fprintf(stderr, "stat failed on %s\n", dirpath);
bad = ENOENT; /* We will send error reply later */
}
/* Check in the exports list */
sigprocmask(SIG_BLOCK, &sighup_mask, NULL);
ep = ex_search(&fsb.f_fsid);
...
The tool finds a path to ex_search where fsb.f_fsid is uninitialized.
ex_search compares the potentially uninitialized stack data:
ex_search(fsid_t *fsid)
{
struct exportlist *ep;
ep = exphead;
while (ep) {
if (ep->ex_fs.val[0] == fsid->val[0] &&
...
Is it sufficient to zero fsb?
Is this really reachable?
mbuhl
