svn commit: r317386 - stable/11/lib/libutil

[Brooks Davis]

Author: brooks
Date: Mon Apr 24 21:35:02 2017
New Revision: 317386
URL: https://svnweb.freebsd.org/changeset/base/317386

Log:
  MFC r316766:
  
  Correct an out of bounds read with HN_AUTOSCALE and very large numbers.
  
  The maximum scale is 6 (K, M, G, T, P, E) (B is 0).
  
  Overly large explict scales were checked correctly, but for sufficently
  large numbers HN_AUTOSCALE would get to 7 resulting in an out of bounds
  read.
  
  Found with humanize_number_test and CHERI bounds checking.
  
  Reviewed by:	emaste
  Obtained from:	CheriBSD
  Sponsored by:	DARPA, AFRL

Modified:
  stable/11/lib/libutil/humanize_number.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/lib/libutil/humanize_number.c
==============================================================================
--- stable/11/lib/libutil/humanize_number.c	Mon Apr 24 21:31:27 2017	(r317385)
+++ stable/11/lib/libutil/humanize_number.c	Mon Apr 24 21:35:02 2017	(r317386)
@@ -43,7 +43,7 @@ __FBSDID("$FreeBSD$");
 #include <locale.h>
 #include <libutil.h>
 
-static const int maxscale = 7;
+static const int maxscale = 6;
 
 int
 humanize_number(char *buf, size_t len, int64_t quotient,
@@ -64,7 +64,7 @@ humanize_number(char *buf, size_t len, i
 		return (-1);
 	if (scale < 0)
 		return (-1);
-	else if (scale >= maxscale &&
+	else if (scale > maxscale &&
 	    ((scale & ~(HN_AUTOSCALE|HN_GETSCALE)) != 0))
 		return (-1);
 	if ((flags & HN_DIVISOR_1000) && (flags & HN_IEC_PREFIXES))