Actually use the loop interation limit so carefully computed on the

previous line to prevent buffer overflow. This turns out to not be important because the upstream xdr code already capped the object size at the proper value. Using the correct limit here looks a lot less scary and should please Coverity. Reported by: Coverity CID: 1199309, 1199310 MFC after: 1 week
author: truckman <truckman@FreeBSD.org> 2016-05-16 23:00:48 +0000
committer: truckman <truckman@FreeBSD.org> 2016-05-16 23:00:48 +0000
commit: 1c0505b26ca4d162d7b0ba3188e34dd21c616c54 (patch)
tree: 7df32c144a9ee05fe8c34159f4da32ab65829057 /usr.sbin/rpc.lockd
parent: c90a0017ce33a605bd03b6a353b3d9aac1088a15 (diff)
download: FreeBSD-src-1c0505b26ca4d162d7b0ba3188e34dd21c616c54.zip
FreeBSD-src-1c0505b26ca4d162d7b0ba3188e34dd21c616c54.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/usr.sbin/rpc.lockd/lock_proc.c b/usr.sbin/rpc.lockd/lock_proc.c
index 8884ad9..595d625 100644
--- a/usr.sbin/rpc.lockd/lock_proc.c
+++ b/usr.sbin/rpc.lockd/lock_proc.c
@@ -112,7 +112,7 @@ log_netobj(netobj *obj)
 	}
 	/* Prevent the security hazard from the buffer overflow */
 	maxlen = (obj->n_len < MAX_NETOBJ_SZ ? obj->n_len : MAX_NETOBJ_SZ);
-	for (i=0, tmp1 = objvalbuffer, tmp2 = objascbuffer; i < obj->n_len;
+	for (i=0, tmp1 = objvalbuffer, tmp2 = objascbuffer; i < maxlen;
 	    i++, tmp1 +=2, tmp2 +=1) {
 		sprintf(tmp1,"%02X",*(obj->n_bytes+i));
 		sprintf(tmp2,"%c",*(obj->n_bytes+i));
author	truckman <truckman@FreeBSD.org>	2016-05-16 23:00:48 +0000
committer	truckman <truckman@FreeBSD.org>	2016-05-16 23:00:48 +0000
commit	1c0505b26ca4d162d7b0ba3188e34dd21c616c54 (patch)
tree	7df32c144a9ee05fe8c34159f4da32ab65829057 /usr.sbin/rpc.lockd
parent	c90a0017ce33a605bd03b6a353b3d9aac1088a15 (diff)
download	FreeBSD-src-1c0505b26ca4d162d7b0ba3188e34dd21c616c54.zip FreeBSD-src-1c0505b26ca4d162d7b0ba3188e34dd21c616c54.tar.gz