NetBSD Problem Report #50867

From www@NetBSD.org  Mon Feb 29 17:27:12 2016
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 782027ACA2
	for <gnats-bugs@gnats.NetBSD.org>; Mon, 29 Feb 2016 17:27:12 +0000 (UTC)
Message-Id: <20160229172711.645B67ACD3@mollari.NetBSD.org>
Date: Mon, 29 Feb 2016 17:27:11 +0000 (UTC)
From: dcb314@hotmail.com
Reply-To: dcb314@hotmail.com
To: gnats-bugs@NetBSD.org
Subject: src/usr.sbin/grfconfig/grfconfig.c:165: array index used before sanity check ?
X-Send-Pr-Version: www-1.0

>Number:         50867
>Category:       bin
>Synopsis:       src/usr.sbin/grfconfig/grfconfig.c:165: array index used before sanity check ?
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Feb 29 17:30:00 +0000 2016
>Closed-Date:    Mon Feb 29 20:41:52 +0000 2016
>Last-Modified:  Mon Feb 29 21:00:01 +0000 2016
>Originator:     David Binderman
>Release:        cvs dated 20160229
>Organization:
>Environment:
>Description:
[src/usr.sbin/grfconfig/grfconfig.c:165]: (style) Array index 'i' is used before limits check.

            for (i = 0, *cps = strtok(buf, " \b\t\r\n");
                cps[i] != NULL && i < 30; i++)
                cps[i + 1] = strtok(NULL, " \b\t\r\n");

Suggest sanity check array index before use.

>How-To-Repeat:

>Fix:

>Release-Note:

>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/50867 CVS commit: src/usr.sbin/grfconfig
Date: Mon, 29 Feb 2016 13:59:53 -0500

 Module Name:	src
 Committed By:	christos
 Date:		Mon Feb 29 18:59:53 UTC 2016

 Modified Files:
 	src/usr.sbin/grfconfig: grfconfig.c

 Log Message:
 PR/50867: David Binderman: Fix parsing loop.
 While here, modernize error handling, merge copy and pasted code.


 To generate a diff of this commit:
 cvs rdiff -u -r1.15 -r1.16 src/usr.sbin/grfconfig/grfconfig.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: wiz@NetBSD.org
State-Changed-When: Mon, 29 Feb 2016 20:41:52 +0000
State-Changed-Why:
Fixed by christos, thanks.


From: Robert Elz <kre@munnari.OZ.AU>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: bin/50867: src/usr.sbin/grfconfig/grfconfig.c:165: array index used before sanity check ?
Date: Tue, 01 Mar 2016 03:51:27 +0700

     Date:        Mon, 29 Feb 2016 17:30:00 +0000 (UTC)
     From:        dcb314@hotmail.com
     Message-ID:  <20160229173000.80B9B7ACA2@mollari.NetBSD.org>

   |             for (i = 0, *cps = strtok(buf, " \b\t\r\n");
   |                 cps[i] != NULL && i < 30; i++)
   |                 cps[i + 1] = strtok(NULL, " \b\t\r\n");
   | 
   | Suggest sanity check array index before use.

 I know Christos has already "fixed" this one, but there is absolutely nothing
 wrong with the code that was there (shown above).

 The first time through the loop, i is 0, which is certainly within
 bounds, every other time through the loop, the "i < 30" test has
 just been performed (from the last time through), and i has only been
 incremented once, so we now know i <= 31 - which is much less than
 sizeof buf.

 This one did not need fixing, the analysis tool does.

 kre


From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, 
	dcb314@hotmail.com
Cc: 
Subject: Re: bin/50867: src/usr.sbin/grfconfig/grfconfig.c:165: array index used before sanity check ?
Date: Mon, 29 Feb 2016 15:56:05 -0500

 On Feb 29,  8:55pm, kre@munnari.OZ.AU (Robert Elz) wrote:
 -- Subject: Re: bin/50867: src/usr.sbin/grfconfig/grfconfig.c:165: array inde

 |  
 |  I know Christos has already "fixed" this one, but there is absolutely nothing
 |  wrong with the code that was there (shown above).
 |  
 |  The first time through the loop, i is 0, which is certainly within
 |  bounds, every other time through the loop, the "i < 30" test has
 |  just been performed (from the last time through), and i has only been
 |  incremented once, so we now know i <= 31 - which is much less than
 |  sizeof buf.
 |  
 |  This one did not need fixing, the analysis tool does.

 I know, but the code is easier to understand now (at least I hope it is).

 christos

>Unformatted:

Home	PR Database Search