NetBSD Problem Report #50867
From www@NetBSD.org Mon Feb 29 17:27:12 2016
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 782027ACA2
for <gnats-bugs@gnats.NetBSD.org>; Mon, 29 Feb 2016 17:27:12 +0000 (UTC)
Message-Id: <20160229172711.645B67ACD3@mollari.NetBSD.org>
Date: Mon, 29 Feb 2016 17:27:11 +0000 (UTC)
From: dcb314@hotmail.com
Reply-To: dcb314@hotmail.com
To: gnats-bugs@NetBSD.org
Subject: src/usr.sbin/grfconfig/grfconfig.c:165: array index used before sanity check ?
X-Send-Pr-Version: www-1.0
>Number: 50867
>Category: bin
>Synopsis: src/usr.sbin/grfconfig/grfconfig.c:165: array index used before sanity check ?
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: bin-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Feb 29 17:30:00 +0000 2016
>Closed-Date: Mon Feb 29 20:41:52 +0000 2016
>Last-Modified: Mon Feb 29 21:00:01 +0000 2016
>Originator: David Binderman
>Release: cvs dated 20160229
>Organization:
>Environment:
>Description:
[src/usr.sbin/grfconfig/grfconfig.c:165]: (style) Array index 'i' is used before limits check.
for (i = 0, *cps = strtok(buf, " \b\t\r\n");
cps[i] != NULL && i < 30; i++)
cps[i + 1] = strtok(NULL, " \b\t\r\n");
Suggest sanity check array index before use.
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/50867 CVS commit: src/usr.sbin/grfconfig
Date: Mon, 29 Feb 2016 13:59:53 -0500
Module Name: src
Committed By: christos
Date: Mon Feb 29 18:59:53 UTC 2016
Modified Files:
src/usr.sbin/grfconfig: grfconfig.c
Log Message:
PR/50867: David Binderman: Fix parsing loop.
While here, modernize error handling, merge copy and pasted code.
To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.16 src/usr.sbin/grfconfig/grfconfig.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: wiz@NetBSD.org
State-Changed-When: Mon, 29 Feb 2016 20:41:52 +0000
State-Changed-Why:
Fixed by christos, thanks.
From: Robert Elz <kre@munnari.OZ.AU>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/50867: src/usr.sbin/grfconfig/grfconfig.c:165: array index used before sanity check ?
Date: Tue, 01 Mar 2016 03:51:27 +0700
Date: Mon, 29 Feb 2016 17:30:00 +0000 (UTC)
From: dcb314@hotmail.com
Message-ID: <20160229173000.80B9B7ACA2@mollari.NetBSD.org>
| for (i = 0, *cps = strtok(buf, " \b\t\r\n");
| cps[i] != NULL && i < 30; i++)
| cps[i + 1] = strtok(NULL, " \b\t\r\n");
|
| Suggest sanity check array index before use.
I know Christos has already "fixed" this one, but there is absolutely nothing
wrong with the code that was there (shown above).
The first time through the loop, i is 0, which is certainly within
bounds, every other time through the loop, the "i < 30" test has
just been performed (from the last time through), and i has only been
incremented once, so we now know i <= 31 - which is much less than
sizeof buf.
This one did not need fixing, the analysis tool does.
kre
From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
dcb314@hotmail.com
Cc:
Subject: Re: bin/50867: src/usr.sbin/grfconfig/grfconfig.c:165: array index used before sanity check ?
Date: Mon, 29 Feb 2016 15:56:05 -0500
On Feb 29, 8:55pm, kre@munnari.OZ.AU (Robert Elz) wrote:
-- Subject: Re: bin/50867: src/usr.sbin/grfconfig/grfconfig.c:165: array inde
|
| I know Christos has already "fixed" this one, but there is absolutely nothing
| wrong with the code that was there (shown above).
|
| The first time through the loop, i is 0, which is certainly within
| bounds, every other time through the loop, the "i < 30" test has
| just been performed (from the last time through), and i has only been
| incremented once, so we now know i <= 31 - which is much less than
| sizeof buf.
|
| This one did not need fixing, the analysis tool does.
I know, but the code is easier to understand now (at least I hope it is).
christos
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.