svn commit: r363435 - head/usr.sbin/mountd
Brooks Davis
brooks at FreeBSD.org
Wed Jul 22 21:44:52 UTC 2020
Author: brooks
Date: Wed Jul 22 21:44:51 2020
New Revision: 363435
URL: https://svnweb.freebsd.org/changeset/base/363435
Log:
Avoid reading one byte before the path buffer.
This happens when there's only one component (e.g. "/foo"). This
(mostly-harmless) bug has been present since June 1990 when it was
commited to mountd.c SCCS version 5.9.
Note: the bug is on the second changed line, the first line is changed
for visual consistency.
Reviewed by: cem, emaste, mckusick, rmacklem
Found with: CHERI
Obtained from: CheriBSD
MFC after: 1 week
Sponsored by: DARPA
Differential Revision: https://reviews.freebsd.org/D25759
Modified:
head/usr.sbin/mountd/mountd.c
Modified: head/usr.sbin/mountd/mountd.c
==============================================================================
--- head/usr.sbin/mountd/mountd.c Wed Jul 22 21:30:18 2020 (r363434)
+++ head/usr.sbin/mountd/mountd.c Wed Jul 22 21:44:51 2020 (r363435)
@@ -3155,9 +3155,9 @@ do_mount(struct exportlist *ep, struct grouplist *grp,
goto error_exit;
}
/* back up over the last component */
- while (*cp == '/' && cp > dirp)
+ while (cp > dirp && *cp == '/')
cp--;
- while (*(cp - 1) != '/' && cp > dirp)
+ while (cp > dirp && *(cp - 1) != '/')
cp--;
if (cp == dirp) {
if (debug)
More information about the svn-src-all
mailing list