[Bug 281159] [PATCH] mfiutil: Fix potential buffer overflow and truncation issues

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 281159] [PATCH] mfiutil: Fix potential buffer overflow and truncation issues"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 281159] [PATCH] mfiutil: Fix potential buffer overflow and truncation issues"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 281159] [PATCH] mfiutil: Fix potential buffer overflow and truncation issues"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 31 Aug 2024 10:54:04 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281159

            Bug ID: 281159
           Summary: [PATCH] mfiutil: Fix potential buffer overflow and
                    truncation issues
           Product: Base System
           Version: 15.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: msl0000023508@gmail.com

Created attachment 253206
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=253206&action=edit
proposed fix

The fix in mfi_volume.c is particularly important; since it uses sprintf(3), if
'state' is too big, an overflow instead of string truncation, will occur.

This change fixes the following warnings emitted by gcc(1):

mfi_drive.c: In function 'mfi_pdstate':
mfi_drive.c:155:40: warning: '%04x' directive writing between 4 and 8 bytes
into a region of size 7 [-Wformat-overflow=]
In function 'mfi_pdstate',
    inlined from 'mfi_pdstate' at /usr/src/usr.sbin/mfiutil/mfi_drive.c:131:1:
/usr/src/usr.sbin/mfiutil/mfi_drive.c:155:30: note: directive argument in the
range [3, 4294967295]
mfi_drive.c:155:17: note: 'sprintf' output between 14 and 18 bytes into a
destination of size 16
mfi_drive.c: In function 'mfi_pd_inq_string':
mfi_drive.c:375:57: warning: ' ' directive output may be truncated writing 1
byte into a region of size between 0 and 62 [-Wformat-truncation=]
mfi_drive.c:375:9: note: 'snprintf' output 14 or more bytes (assuming 110) into
a destination of size 64
mfi_drive.c:358:65: warning: ' serial=' directive output may be truncated
writing 8 bytes into a region of size between 0 and 62 [-Wformat-truncation=]
mfi_drive.c:358:17: note: 'snprintf' output between 17 and 98 bytes into a
destination of size 64

mfi_evt.c: In function 'pdrive_location':
mfi_evt.c:350:64: warning: 'snprintf' output may be truncated before the last
format character [-Wformat-truncation=]
mfi_evt.c:350:17: note: 'snprintf' output between 10 and 17 bytes into a
destination of size 16

mfi_volume.c: In function 'mfi_ldstate':
mfi_volume.c:60:40: warning: '%02x' directive writing between 2 and 8 bytes
into a region of size 7 [-Wformat-overflow=]
mfi_volume.c:60:30: note: directive argument in the range [4, 4294967295]
mfi_volume.c:60:17: note: 'sprintf' output between 12 and 18 bytes into a
destination of size 16

-- 
You are receiving this mail because:
You are the assignee for the bug.