MFC r316766:

Correct an out of bounds read with HN_AUTOSCALE and very large numbers. The maximum scale is 6 (K, M, G, T, P, E) (B is 0). Overly large explict scales were checked correctly, but for sufficently large numbers HN_AUTOSCALE would get to 7 resulting in an out of bounds read. Found with humanize_number_test and CHERI bounds checking. Reviewed by: emaste Obtained from: CheriBSD Sponsored by: DARPA, AFRL
author: brooks <brooks@FreeBSD.org> 2017-04-24 21:41:04 +0000
committer: brooks <brooks@FreeBSD.org> 2017-04-24 21:41:04 +0000
commit: e8bb803babc5673a28555c9afa2a5f3da96add0f (patch)
tree: 492cd507b38751396190429d4fb2b0807f94fb27 /lib
parent: 5f7e779f9ffada568a00fd3d20896316ecf69996 (diff)
download: FreeBSD-src-e8bb803babc5673a28555c9afa2a5f3da96add0f.zip
FreeBSD-src-e8bb803babc5673a28555c9afa2a5f3da96add0f.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/libutil/humanize_number.c b/lib/libutil/humanize_number.c
index b773422..675a969 100644
--- a/lib/libutil/humanize_number.c
+++ b/lib/libutil/humanize_number.c
@@ -43,7 +43,7 @@ __FBSDID("$FreeBSD$");
 #include <locale.h>
 #include <libutil.h>
 
-static const int maxscale = 7;
+static const int maxscale = 6;
 
 int
 humanize_number(char *buf, size_t len, int64_t quotient,
@@ -64,7 +64,7 @@ humanize_number(char *buf, size_t len, int64_t quotient,
 		return (-1);
 	if (scale < 0)
 		return (-1);
-	else if (scale >= maxscale &&
+	else if (scale > maxscale &&
 	    ((scale & ~(HN_AUTOSCALE|HN_GETSCALE)) != 0))
 		return (-1);
 	if ((flags & HN_DIVISOR_1000) && (flags & HN_IEC_PREFIXES))
author	brooks <brooks@FreeBSD.org>	2017-04-24 21:41:04 +0000
committer	brooks <brooks@FreeBSD.org>	2017-04-24 21:41:04 +0000
commit	e8bb803babc5673a28555c9afa2a5f3da96add0f (patch)
tree	492cd507b38751396190429d4fb2b0807f94fb27 /lib
parent	5f7e779f9ffada568a00fd3d20896316ecf69996 (diff)
download	FreeBSD-src-e8bb803babc5673a28555c9afa2a5f3da96add0f.zip FreeBSD-src-e8bb803babc5673a28555c9afa2a5f3da96add0f.tar.gz