Bug 203644
| Summary: | makefs: Coverity CID 974635, 974636: Copying several struct elements by single memcpy(). | ||
|---|---|---|---|
| Product: | Base System | Reporter: | scdbackup |
| Component: | bin | Assignee: | freebsd-bugs (Nobody) <bugs> |
| Status: | Closed FIXED | ||
| Severity: | Affects Some People | CC: | avos, emaste |
| Priority: | --- | ||
| Version: | CURRENT | ||
| Hardware: | Any | ||
| OS: | Any | ||
Bulk taking makefs bugs. Handing a number of makefs, mtree, and msdosfs bugs in my queue over to emaste@. Reset assignee - I am not currently looking at this PR. Fixed in base r299461 |
usr.sbin/makefs/ffs/ffs_bswap.c CID 974635 : Destination buffer too small (BUFFER_SIZE) 10. buffer_size: You might overrun the 48 byte destination string n->di_db by writing the maximum 60 bytes from o->di_db. 138 memcpy(n->di_db, o->di_db, (NDADDR + NIADDR) * sizeof(u_int32_t)); CID 974636 : Destination buffer too small (BUFFER_SIZE) 20. buffer_size: You might overrun the 16 byte destination string n->di_extb by writing the maximum 136 bytes from o->di_extb. 168 memcpy(n->di_extb, o->di_extb, (NXADDR + NDADDR + NIADDR) * 8); --------------- Source analysis: sys/ufs/ufs/dinode.h defines typedef int32_t ufs1_daddr_t; ... struct ufs1_dinode { ... ufs1_daddr_t di_db[NDADDR]; /* 40: Direct disk blocks. */ ufs1_daddr_t di_ib[NIADDR]; /* 88: Indirect disk blocks. */ ... So both arrays get copied in one memcpy() operation. Same with CID 974636: typedef int64_t ufs2_daddr_t; ... struct ufs2_dinode { ... ufs2_daddr_t di_extb[NXADDR];/* 96: External attributes block. */ ufs2_daddr_t di_db[NDADDR]; /* 112: Direct disk blocks. */ ufs2_daddr_t di_ib[NIADDR]; /* 208: Indirect disk blocks. */ Three arrays, one memcpy(). --------------- Remedy proposal: One should consider to use two or three separate memcpy() calls. (I cannot judge whether the alignment of 40 and 88 needs padding bytes on any architecture.)