svn commit: r253504 - head/sbin/route

Ulrich Spörlein uqs at FreeBSD.org
Wed Jul 24 13:00:49 UTC 2013 

On Sat, 2013-07-20 at 16:46:51 +0000, Hiroki Sato wrote:
> Author: hrs
> Date: Sat Jul 20 16:46:51 2013
> New Revision: 253504
> URL: http://svnweb.freebsd.org/changeset/base/253504
> 
> Log:
>   - Simplify getaddr() and print_getmsg() by using RTAX_* instead of RTA_*
>     as the argument.
>   - Reduce unnecessary loop in print_getmsg().
> 
> Modified:
>   head/sbin/route/route.c
> 
> Modified: head/sbin/route/route.c
> ==============================================================================
> --- head/sbin/route/route.c	Sat Jul 20 15:58:43 2013	(r253503)
> +++ head/sbin/route/route.c	Sat Jul 20 16:46:51 2013	(r253504)
> @@ -1105,7 +1105,7 @@ inet6_makenetandmask(struct sockaddr_in6
>   * returning 1 if a host address, 0 if a network address.
>   */
>  static int
> -getaddr(int which, char *str, struct hostent **hpp, int nrflags)
> +getaddr(int idx, char *str, struct hostent **hpp, int nrflags)
>  {
>  	struct sockaddr *sa;
>  #if defined(INET)
> @@ -1130,36 +1130,16 @@ getaddr(int which, char *str, struct hos
>  		aflen = sizeof(struct sockaddr_dl);
>  #endif
>  	}
> -	rtm_addrs |= which;
> +	rtm_addrs |= (1 << idx);
>  
> -	switch (which) {
> -	case RTA_DST:
> -		sa = (struct sockaddr *)&so[RTAX_DST];
> -		break;
> -	case RTA_GATEWAY:
> -		sa = (struct sockaddr *)&so[RTAX_GATEWAY];
> -		break;
> -	case RTA_NETMASK:
> -		sa = (struct sockaddr *)&so[RTAX_NETMASK];
> -		break;
> -	case RTA_GENMASK:
> -		sa = (struct sockaddr *)&so[RTAX_GENMASK];
> -		break;
> -	case RTA_IFA:
> -		sa = (struct sockaddr *)&so[RTAX_IFA];
> -		break;
> -	case RTA_IFP:
> -		sa = (struct sockaddr *)&so[RTAX_IFP];
> -		break;
> -	default:
> +	if (idx > RTAX_MAX)
>  		usage("internal error");
> -		/*NOTREACHED*/
> -	}
> +	sa = (struct sockaddr *)&so[idx];

Coverity Scan flags this as an out-of-bounds write. RTAX_MAX is 8, so
idx can be up to 8 (inclusive) in the check above. Do you want to check
for idx >= RTAX_MAX maybe? idx is also signed ...

Coverity CID is 1054779, btw.

Cheers,
Uli

More information about the svn-src-all mailing list