svn commit: r344023 - head/sbin/mdmfs

Mon Feb 11 21:31:28 UTC 2019

Author: brooks
Date: Mon Feb 11 21:31:26 2019
New Revision: 344023
URL: https://svnweb.freebsd.org/changeset/base/344023

Log:
  mdmfs: Fix many bugs in automatic md(4) creation.
  
  This code allocated a correctly sized buffer, read past the end of the
  source buffer, writing off the end of the target buffer, and then writing
  a '\0' terminator past the end of the target buffer (in the wrong place).
  It then leaked the buffer.
  
  Switch to a statically sized buffer on the stack and update the source
  pointer and
  length before use so the correct things are copied.
  
  Fix a logic error in the checks that the format of the line is as
  expected and move on out of an assert.
  
  Remove an unneeded close(). fclose() closes the descriptor.
  
  Found with:	CheriABI
  Obtained from:	CheriBSD
  Reviewed by:	kib, jhb, markj
  Differential Revision:	https://reviews.freebsd.org/D19122

Modified:
  head/sbin/mdmfs/mdmfs.c

Modified: head/sbin/mdmfs/mdmfs.c
==============================================================================

--- head/sbin/mdmfs/mdmfs.c	Mon Feb 11 20:47:09 2019	(r344022)
+++ head/sbin/mdmfs/mdmfs.c	Mon Feb 11 21:31:26 2019	(r344023)
@@ -444,7 +444,8 @@ static void
 do_mdconfig_attach_au(const char *args, const enum md_types mdtype)
 {
 	const char *ta;		/* Type arg. */
-	char *linep, *linebuf; 	/* Line pointer, line buffer. */
+	char *linep;
+	char linebuf[12];	/* 32-bit unit (10) + '\n' (1) + '\0' (1) */
 	int fd;			/* Standard output of mdconfig invocation. */
 	FILE *sfd;
 	int rv;
@@ -479,14 +480,15 @@ do_mdconfig_attach_au(const char *args, const enum md_
 	if (sfd == NULL)
 		err(1, "fdopen");
 	linep = fgetln(sfd, &linelen);
-	if (linep == NULL && linelen < mdnamelen + 1)
-		errx(1, "unexpected output from mdconfig (attach)");
 	/* If the output format changes, we want to know about it. */
-	assert(strncmp(linep, mdname, mdnamelen) == 0);
-	linebuf = malloc(linelen - mdnamelen + 1);
-	assert(linebuf != NULL);
+	if (linep == NULL || linelen <= mdnamelen + 1 ||
+	    linelen - mdnamelen >= sizeof(linebuf) ||
+	    strncmp(linep, mdname, mdnamelen) != 0)
+		errx(1, "unexpected output from mdconfig (attach)");
+	linep += mdnamelen;
+	linelen -= mdnamelen;
 	/* Can't use strlcpy because linep is not NULL-terminated. */
-	strncpy(linebuf, linep + mdnamelen, linelen);
+	strncpy(linebuf, linep, linelen);
 	linebuf[linelen] = '\0';
 	ul = strtoul(linebuf, &p, 10);
 	if (ul == ULONG_MAX || *p != '\n')
@@ -494,7 +496,6 @@ do_mdconfig_attach_au(const char *args, const enum md_
 	unit = ul;
 
 	fclose(sfd);
-	close(fd);
 }
 
 /*
