diff options
| author | truckman <truckman@FreeBSD.org> | 2016-05-25 15:43:01 +0000 |
|---|---|---|
| committer | truckman <truckman@FreeBSD.org> | 2016-05-25 15:43:01 +0000 |
| commit | 4122004b6c02f0c54d5381e35543c4413bee2cd4 (patch) | |
| tree | 28c01cc3875051594d7b04b8fbc380bc5f67c732 /sbin | |
| parent | f98bda461d8f7c3915855e0713c074b9faf660f3 (diff) | |
| download | FreeBSD-src-4122004b6c02f0c54d5381e35543c4413bee2cd4.zip FreeBSD-src-4122004b6c02f0c54d5381e35543c4413bee2cd4.tar.gz | |
Fix a couple of new instances of a false positive Coverity buffer
overflow defect. Use the new CCB_CLEAR_ALL_EXCEPT_HDR() macro
instead of the calling bzero() on the pointer to the header used
as an array and indexed by 1.
Don't leak a buffer after executing "goto restart_report" by
overwriting its pointer with the results of another calloc().
Be sure to clear the buffer before reusing it. (CID 1356042)
Reported by: Coverity
CID: 1356022, 1356034, 1356023, 1356035, 1356042
Reviewed by: ken
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/camcontrol/epc.c | 3 | ||||
| -rw-r--r-- | sbin/camcontrol/zone.c | 8 |
2 files changed, 6 insertions, 5 deletions
diff --git a/sbin/camcontrol/epc.c b/sbin/camcontrol/epc.c index 10d76f6..783db59 100644 --- a/sbin/camcontrol/epc.c +++ b/sbin/camcontrol/epc.c @@ -633,8 +633,7 @@ epc(struct cam_device *device, int argc, char **argv, char *combinedopt, goto bailout; } - bzero(&(&ccb->ccb_h)[1], - sizeof(union ccb) - sizeof(struct ccb_hdr)); + CCB_CLEAR_ALL_EXCEPT_HDR(ccb); while ((c = getopt(argc, argv, combinedopt)) != -1) { switch (c) { diff --git a/sbin/camcontrol/zone.c b/sbin/camcontrol/zone.c index aaf172e..87a1842 100644 --- a/sbin/camcontrol/zone.c +++ b/sbin/camcontrol/zone.c @@ -347,8 +347,7 @@ zone(struct cam_device *device, int argc, char **argv, char *combinedopt, goto bailout; } - bzero(&(&ccb->ccb_h)[1], - sizeof(union ccb) - sizeof(struct ccb_hdr)); + CCB_CLEAR_ALL_EXCEPT_HDR(ccb); while ((c = getopt(argc, argv, combinedopt)) != -1) { switch (c) { @@ -484,7 +483,8 @@ restart_report: sector_count = ZAC_ATA_SECTOR_COUNT(alloc_len); protocol = AP_PROTO_DMA; } else { - cdb_storage = calloc(cdb_storage_len, 1); + if (cdb_storage == NULL) + cdb_storage = calloc(cdb_storage_len, 1); if (cdb_storage == NULL) err(1, "couldn't allocate memory"); @@ -662,6 +662,8 @@ restart_report: if (zp_status == ZONE_PRINT_MORE_DATA) { bzero(ccb, sizeof(*ccb)); first_pass = 0; + if (cdb_storage != NULL) + bzero(cdb_storage, cdb_storage_len); goto restart_report; } else if (zp_status == ZONE_PRINT_ERROR) error = 1; |
