aboutsummaryrefslogtreecommitdiffstats
path: root/sbin/mdmfs
diff options
context:
space:
mode:
authorBrooks Davis <brooks@FreeBSD.org>2019-02-11 21:31:26 +0000
committerBrooks Davis <brooks@FreeBSD.org>2019-02-11 21:31:26 +0000
commitf95509a489bc55a3aefd0e650509067752a6d279 (patch)
tree6deafe75d8971387c278b5852091f6602c98ea84 /sbin/mdmfs
parent967b2dce026f8430e2c23c1b6a927f42a46ec84d (diff)
downloadsrc-f95509a489bc55a3aefd0e650509067752a6d279.tar.gz
src-f95509a489bc55a3aefd0e650509067752a6d279.zip
mdmfs: Fix many bugs in automatic md(4) creation.
This code allocated a correctly sized buffer, read past the end of the source buffer, writing off the end of the target buffer, and then writing a '\0' terminator past the end of the target buffer (in the wrong place). It then leaked the buffer. Switch to a statically sized buffer on the stack and update the source pointer and length before use so the correct things are copied. Fix a logic error in the checks that the format of the line is as expected and move on out of an assert. Remove an unneeded close(). fclose() closes the descriptor. Found with: CheriABI Obtained from: CheriBSD Reviewed by: kib, jhb, markj Differential Revision: https://reviews.freebsd.org/D19122
Notes
Notes: svn path=/head/; revision=344023
Diffstat (limited to 'sbin/mdmfs')
-rw-r--r--sbin/mdmfs/mdmfs.c17
1 files changed, 9 insertions, 8 deletions
diff --git a/sbin/mdmfs/mdmfs.c b/sbin/mdmfs/mdmfs.c
index b85d7dd4cd9a..6e4a39611a89 100644
--- a/sbin/mdmfs/mdmfs.c
+++ b/sbin/mdmfs/mdmfs.c
@@ -444,7 +444,8 @@ static void
do_mdconfig_attach_au(const char *args, const enum md_types mdtype)
{
const char *ta; /* Type arg. */
- char *linep, *linebuf; /* Line pointer, line buffer. */
+ char *linep;
+ char linebuf[12]; /* 32-bit unit (10) + '\n' (1) + '\0' (1) */
int fd; /* Standard output of mdconfig invocation. */
FILE *sfd;
int rv;
@@ -479,14 +480,15 @@ do_mdconfig_attach_au(const char *args, const enum md_types mdtype)
if (sfd == NULL)
err(1, "fdopen");
linep = fgetln(sfd, &linelen);
- if (linep == NULL && linelen < mdnamelen + 1)
- errx(1, "unexpected output from mdconfig (attach)");
/* If the output format changes, we want to know about it. */
- assert(strncmp(linep, mdname, mdnamelen) == 0);
- linebuf = malloc(linelen - mdnamelen + 1);
- assert(linebuf != NULL);
+ if (linep == NULL || linelen <= mdnamelen + 1 ||
+ linelen - mdnamelen >= sizeof(linebuf) ||
+ strncmp(linep, mdname, mdnamelen) != 0)
+ errx(1, "unexpected output from mdconfig (attach)");
+ linep += mdnamelen;
+ linelen -= mdnamelen;
/* Can't use strlcpy because linep is not NULL-terminated. */
- strncpy(linebuf, linep + mdnamelen, linelen);
+ strncpy(linebuf, linep, linelen);
linebuf[linelen] = '\0';
ul = strtoul(linebuf, &p, 10);
if (ul == ULONG_MAX || *p != '\n')
@@ -494,7 +496,6 @@ do_mdconfig_attach_au(const char *args, const enum md_types mdtype)
unit = ul;
fclose(sfd);
- close(fd);
}
/*