svn commit: r355432 - stable/12/usr.sbin/sesutil

Alan Somers asomers at FreeBSD.org
Fri Dec 6 00:24:32 UTC 2019 

Author: asomers
Date: Fri Dec  6 00:24:31 2019
New Revision: 355432
URL: https://svnweb.freebsd.org/changeset/base/355432

Log:
  MFC r354664-r354666
  
  r354664:
  sesutil: fix an out-of-bounds array access
  
  sesutil would allow the user to toggle an LED that was one past the maximum
  element.  If he tried, ENCIOC_GETELMSTAT would return EINVAL.
  
  Reported by:	Coverity
  Coverity CID:	1398940
  Sponsored by:	Axcient
  
  r354665:
  sesutil: fix some memory leaks
  
  Reported by:	Coverity
  Coverity CID:	1331665
  Sponsored by:	Axcient
  
  r354666:
  sesutil: fix another memory leak
  
  Instead of calloc()ing (and forgetting to free) in a tight loop, just put
  this small array on the stack.
  
  Reported by:	Coverity
  Coverity CID:	1331665
  Sponsored by:	Axcient

Modified:
  stable/12/usr.sbin/sesutil/sesutil.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/usr.sbin/sesutil/sesutil.c
==============================================================================
--- stable/12/usr.sbin/sesutil/sesutil.c	Fri Dec  6 00:12:14 2019	(r355431)
+++ stable/12/usr.sbin/sesutil/sesutil.c	Fri Dec  6 00:24:31 2019	(r355432)
@@ -242,35 +242,38 @@ sesled(int argc, char **argv, bool setfault)
 		}
 
 		if (ioctl(fd, ENCIOC_GETELMMAP, (caddr_t) objp) < 0) {
+			free(objp);
 			close(fd);
 			xo_err(EXIT_FAILURE, "ENCIOC_GETELMMAP");
 		}
 
 		if (isses) {
-			if (sesid > nobj) {
+			if (sesid >= nobj) {
+				free(objp);
 				close(fd);
 				xo_errx(EXIT_FAILURE,
 				     "Requested SES ID does not exist");
 			}
 			do_led(fd, sesid, objp[sesid].elm_type, onoff, setfault);
 			ndisks++;
+			free(objp);
 			close(fd);
 			break;
 		}
 		for (j = 0; j < nobj; j++) {
+			const int devnames_size = 128;
+			char devnames[devnames_size];
+
 			if (all) {
 				do_led(fd, objp[j].elm_idx, objp[j].elm_type,
 				    onoff, setfault);
 				continue;
 			}
 			memset(&objdn, 0, sizeof(objdn));
+			memset(devnames, 0, devnames_size);
 			objdn.elm_idx = objp[j].elm_idx;
-			objdn.elm_names_size = 128;
-			objdn.elm_devnames = calloc(128, sizeof(char));
-			if (objdn.elm_devnames == NULL) {
-				close(fd);
-				xo_err(EXIT_FAILURE, "calloc()");
-			}
+			objdn.elm_names_size = devnames_size;
+			objdn.elm_devnames = devnames;
 			if (ioctl(fd, ENCIOC_GETELMDEVNAMES,
 			    (caddr_t) &objdn) <0) {
 				continue;

More information about the svn-src-stable mailing list