| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
newsyslog: Eliminate unnecessary sleep(10) when -R and -s are specified
After going through the signal work list, during which do_sigwork()
is called and essentially does nothing because -s and -R were
specified on the command line, newsyslog will sleep for 10 seconds
as the (verbose) code says: "Pause 10 seconds to allow daemon(s)
to close log file(s)".
However, the man page verbiage for -R (and -s) seems quite clear
that this sleep() is unnecessary because the daemon was expected
to have already closed the log file before calling newsyslog.
PR: 210020
Submitted by: David A. Bright <david_a_bright@dell.com>
Sponsored by: Dell Inc.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r299513 (by cem):
rtadvd(8): Don't use-after-free
This whole block of code as committed fully formed in r224144. I'm not really
sure what the intent was, but it seems plausible that !persist ifis could need
other member cleanup. Don't free the object until after we've finished
cleaning its members.
CID: 1006079
r299515 (by cem):
rtadvd(8): Fix use-after-close in cm_handler_client
cm_send() closes 'fd' on error. In that case, bail out early without trying to
recv from or close 'fd' again.
CID: 1006078
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r299507 (by cem):
rtadvd(8): Fix a typo in full msg receive logic
Check against the size of the struct, not the pointer. Previously, a message
with a cm_len between 9 and 23 (inclusive) could cause int msglen to underflow
and read(2) to be invoked with msglen size (implicitly cast to signed),
overrunning the caller-provided buffer.
All users of cm_recv() supply a stack buffer.
On the other hand, the rtadvd control socket appears to only be writable by the
owner, who is probably root.
While here, correct some types to be size_t or ssize_t.
CID: 1008477
Security: unix socket remotes may overflow stack in rtadvd
|
|
|
|
|
|
|
|
|
|
|
|
| |
r299491 (by cem):
route6d(8): Fix potential double-free
In the case that the subsequent sysctl(3) call failed, 'buf' could be free(3)ed
repeatedly. It isn't clear to me that that case is possible, but be clear and
do the right thing in case it is.
CID: 272537
|
|
|
|
|
|
|
|
|
|
| |
r299461 (by cem):
ffs_bswap: Copy one UFS dinode member at a time
No functional change.
CIDs: 974635, 974636, 977396, 977397, 977398, 977399
|
|
|
|
|
|
| |
Remove NO_WERROR.clang from this Makefile
This compiles with clang without warnings
|
|
|
|
| |
Bump WARNS to 6
|
|
|
|
|
|
|
|
| |
Move _bsnmptools_debug extern from bsnmpmap.c to bsnmptools.h
It was used in bsnmpmap.c but was stored in bsnmptools.c; moving the extern
to the header allows us to cover all of our bases for the variable, and allows
_bsnmptools_debug to be used in the future elsewhere -- not just bsnmpmap.c.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a consistent errno save/restore pattern before running strtoul
- Save errno
- Set errno to 0
- Call strtoul
- Test errno (optional, but many calls to strtoul did this afterwards)
Some of the code was setting errno = 0 after calling strtoul, not setting
errno = 0, or setting errno to saved_errno after the call, but before the
test. These all have unwanted behavioral side-effects, depending on the
initial value of errno and whether or not the input to strtoul was correct
or incorrect.
|
|
|
|
|
|
|
|
|
|
| |
Fix logically dead code pointed out by clang/Coverity
parse_context, parse_user_security: test for validity of results from
parse_ascii(..) with by casting to int32_t and comparing to -1; comparing
unsigned types to negative values will always be false.
CID: 1011432, 1011433
|
|
|
|
|
|
| |
Correct function names that failed in error messages
It should be calloc/strdup, not malloc
|
|
|
|
|
|
| |
Staticize variables only used in rpcbind.c
This is some low hanging fruit necessary for making this WARNS?= 6 clean
|
|
|
|
| |
Remove unnecessary caller_uaddr != NULL test before calling free on it
|
|
|
|
| |
Remove a useless if (x != NULL) check before calling free on allocated_uaddr
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r300867:
Only expose `hint_uaddr` in the ND_DEBUG case
This fixes a -Wunused-but-set-variable warning with gcc
r300932:
Catch malloc(3) errors and socket(2) errors
- malloc failing will result in a delayed segfault
- socket failing will result in delayed failures with setsockopt
Exit in the event that either of these high-level conditions are met.
CID: 976288, 976321, 976858
r300934:
Plug leak with ifp by calling freeifaddrs after calling getifaddrs
Obtained from: NetBSD v1.18
r300941:
Don't leak res in network_init(..)
Call freeaddrinfo on it after it's been used
CID: 1225050
r300972 (by markj):
Fix rpcbind init after r300941.
- getaddrinfo() sets res = NULL on failure and freeaddrinfo() always
dereferences its argument, so we should only free the address list after
a successful call.
- Address a second potential leak caused by getaddrinfo(AF_INET6)
overwriting the address list returned by getaddrinfo(AF_INET).
X-MFC-With: r300941
r300973:
Follow up to r300932
In the event MK_INET6 != no in userspace, but is disabled in the
kernel, or if there aren't any IPv6 addresses configured in userspace
(for lo0 and all physical interfaces), rpcbind would terminate
immediately instead of silently failing on
Skip over the IPv6 block to its respective cleanup with freeifaddrs if
creating the socket failed instead of terminating rpcbind immediately
|
|
|
|
|
|
|
|
|
|
| |
Wrap EXPAND(..) macro with a do-while(0) loop and put a single statement on each line
As a positive side-effect, this eliminates the double semicolons reported by Coverity:
the macro contained a trailing semicolon, in addition to the semicolon placed on
each line where EXPAND(..) was called.
CID: 1194269
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix CID 1006692 in /usr/sbin/pw pw_log() function and other fixes
The length of the name returned from the $LOGNAME and $USER can be
very long and it was being concatenated to a fixed length buffer
with no bounds checking. Fix this problem by limiting the length
of the name copied.
Additionally, this name is actually used to create a format string
to be used in adding log file entries so embedded % characters in
the name could confuse *printf(), and embedded whitespace could
confuse a log file parser. Handle the former by escaping each %
with an additional %, and handle the latter by simply stripping it
out.
Clean up the code by moving the variable declarations to the top
of the function, formatting them to conform with style, and moving
intialization elsewhere.
Reduce code indentation by returning early in a couple of places.
Reported by: Coverity
CID: 1006692
Reviewed by: markj (previous version)
Differential Revision: https://reviews.freebsd.org/D6490
|
|
|
|
|
|
|
|
|
| |
ntp 4.2.8p8.
Security: CVE-2016-4957, CVE-2016-4953, CVE-2016-4954
Security: CVE-2016-4955, CVE-2016-4956
Security: FreeBSD-SA-16:24.ntp
Relnotes: yes
|
|
|
|
|
|
|
| |
Avoid buffer overflow or truncation when constructing path_zoneinfo_file.
Reported by: Coverity
CID: 1011160
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r300747 | asomers | 2016-05-26 08:26:49 -0600 (Thu, 26 May 2016) | 8 lines
rmextattr(8) man page clarifications regarding -qq
r299087 | asomers | 2016-05-04 15:07:30 -0600 (Wed, 04 May 2016) | 13 lines
Fix "getextattr -x" with non-ascii attribute values
extattr/rmextattr.c
When printing hex output, treat all attribute values as unsigned
char arrays instead of sign extending them to 32 bit values.
extattr/tests/extattr_test.sh
Add a regression test
r299085 | asomers | 2016-05-04 14:20:55 -0600 (Wed, 04 May 2016) | 30 lines
Allow setextattr(8) to take attribute values from stdin
Add the -i option to setextattr. This option allow extended attribute data
to be provided via stdin. Add a -qq option to getextattr, which omits the
trailing newline. Together these options can be used to work with extended
attributes whose values are large and/or binary.
usr.sbin/extattr/Makefile:
Link against libsbuf which is used for processing stdin data.
usr.sbin/extattr/rmextattr.8:
Document setextattr's -i option, getextattr's -qq option, and remove
the BUG about setextattr only being useful for strings.
usr.sbin/extattr/rmextattr.c:
For setextattr operations, buffer attribute data in an sbuf. If -i
is specified, pull the data from stdin, otherwise from the
appropriate argurment.
Update usage text and argument validation code for setextattr's -i
option.
usr.sbin/extattr/tests/extattr_test.sh
Add tests for -q and -i.
r298744 | asomers | 2016-04-28 09:13:50 -0600 (Thu, 28 Apr 2016) | 11 lines
Add PACKAGE fields to usr.sbin/extattr/tests/Makefile
usr.sbin/extattr/tests/Makefile
Add boiler plate required by 298107 but omitted by 298483. These
two changes passed through CR in parallel. I think this should get
the full test suite running in Jenkins again.
r298483 | asomers | 2016-04-22 11:02:47 -0600 (Fri, 22 Apr 2016) | 10 lines
Add ATF tests for usr.sbin/extattr
Add ATF tests for the existing behavior of setextattr, rmextattr, lsextattr,
and getextattr.
Sponsored by: Spectra Logic Corp
|
|
|
|
|
|
|
|
| |
Delay calling yp_malloc_dnsent() until after some additional sanity
checks to avoid leaking memory on error returns.
Reported by: Coverity
CID: 1007416
|
|
|
|
|
|
|
| |
Call free(cur) if strdup(dirp->d_name) fails to avoid a memory leak.
Reported by: Coverity
CID: 1007414
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix acpidb CIDs 1011279 (Buffer not null terminated) and 978405 and
1199380 (Resource leak).
load_dsdt() calls strncpy() to copy a filename and Coverity warns
that the destination buffer may not be NUL terminated. Fix this
by using strlcpy() instead. If silent truncation occurs, then the
filename was not valid anyway.
load_dsdt() leaks an fd (CID 978405) and a memory region allocated
using mmap() (CID 1199380) when it returns. Fix these by calling
close() and munmap() as appropriate.
Don't bother fixing the minor memory leak "list", allocated by
AcGetAllTablesFromFile() (CID 1355191).
Check for truncation when creating the temp file name.
Set a flag to indicate that the temp file should be unlinked.
Relying on a strcmp() test could delete the input file in contrived
cases.
Reported by: Coverity
CID: 1011279, 978405, 1199380
Reviewed by: jkim
Differential Revision: https://reviews.freebsd.org/D6368
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix acpidump CID 1011278 (Buffer not null terminated) and other issues
Coverity reports that a buffer used for temporary file generation
might not be NUL terminated by strncpy(). This is probably not
true because the input gets passed through realpath(), but if the
path name is sufficiently long the name could be truncated and cause
other problems. The code for generating the temp file names is
also overly complex. Instead of a bunch of calls to strncpy() and
and strncat(), simplify the code by using snprintf() and add checks
for unexpected truncation.
The output file created by iasl -d is predictable. Fix this by
using mkdtemp() to create a directory to hold the iasl input and
output files.
Check the return values of more syscalls.
Reported by: Coverity
CID: 1011278
Reviewed by: jkim
Differential Revision: https://reviews.freebsd.org/D6360
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
------------------------------------------------------------------------
r300224 | ken | 2016-05-19 13:13:43 -0600 (Thu, 19 May 2016) | 12 lines
Adjust a couple of error cases in camdd(8).
usr.sbin/camdd/camdd.c:
In camdd_probe_file(), fix an error case after fstat where
we were bailing out and leaving two lines of cleanup code
unexecuted. Instead, just goto bailout_error.
In camdd_probe_pass(), fail if the sector size is 0.
------------------------------------------------------------------------
Sponsored by: Spectra Logic
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r299465 (by cem):
bsnmp: Don't overrun privkey buffer by copying wrong size
The 'priv_key' array is SNMP_PRIV_KEY_SIZ bytes, not SNMP_AUTH_KEY_SIZ.
CIDs: 1008326, 1009675
r299807:
Replace QUADFMT with %ju and QUADXFMT with %jx and cast values with uintmax_t
This will cure some -Wformat warnings
r299808:
Use sizeof(..)s for the destination buffers instead of hardcoded values corresponding
to the destination buffer sizes
r299817:
Use SNMPD_INPUT_FAILED instead of SNMP_CODE_FAILED
SNMPD_INPUT_FAILED is `enum snmpd_input_err` type (which matches the return
code from the function). SNMP_CODE_FAILED is `enum snmp_code` type.
r299831:
Remove NO_WERROR and add WARNS?= 6
This now compiles cleanly on all architectures
Tested with: clang 3.8, gcc 4.2.1, gcc 4.5, make tinderbox
r299832:
Remove trailing whitespace in license tort
r300167 (by glebius):
Revert r299830, it has couple of fatal errors.
The CMSG_ family of macros take care of alignment, so we don't need r299830
at all, even if it was correct. Put NO_WCAST_ALIGN into Makefile.
Together with: peter
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r299764,r299765,r299767,r299769,r299770,r299774,r299802,r299803,r299805,r299814:
r299764:
Use the size of the destination buffer, not the source buffer.
Technically this is a no-op, but mute the clang warning in case the malloc call
above for fstring ever changes in the future
r299765:
Fix theoretical buffer overflow issues in snmp_oid2asn_oid
Increase the size of `string` by 1 to account for the '\0' terminator. In the event
that `str` doesn't contain any non-alpha chars, i would be set to MAXSTR, and
the subsequent strlcpy call would overflow by a character.
Remove unnecessary `string[i] = '\0'` -- this is already handled by strlcpy.
r299767:
Mute sign compare warning by casting rc to u_int to match nbindings' type
rc cannot be negative -- that was already tested for earlier on in
the function
r299769:
Use the size of the destination buffer instead of the malloc size, repeated, in order
to mute a -Wstrlcpy-strlcat-size warning
r299770:
Fix up r299764
I meant to use nitems, not sizeof(..) with the destination buffer. Using sizeof(..)
on a pointer will always truncate the output in the destination buffer incorrectly
Pointyhat to: ngie
r299774:
Do minimal work necessary to cure a -Wunused-but-set-variable warning from gcc
How errno is saved before and restored after strtoul calls needs a rethink
r299802:
Fix up both r299764 and r299770
nitems was wrong too, as it was being tested against a pointer instead of a buffer on
the stack.
Since the old code was just doing malloc, then strlcpy'ing the contents of the source
buffer into the destination buffer, replace it all with a call to strdup..
Supersized Duncecap to: ngie
r299803:
Replace malloc + memset(.., 0, ..) with calloc calls
r299805:
Fix up r299769
Similar to r299802, it was noted that using nitems on scalar pointers is
invalid.
Use strdup instead of malloc + strlcpy (which is what the old code was doing
anyhow).
Pointyhat to: ngie
r299814:
Replace malloc + memset(.., 0, ..) with calloc calls
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r299710:
Staticize global variables only used in bsnmpimport.c to fix
-Wmissing-variable-declarations warnings
r299711:
Fold two malloc + memset(.., 0, ..) calls into equivalent calloc calls
r299763:
Mute -Wstrlcpy-strlcat-size warning by using nitems with the size of the buffer
This is a no-op as the malloc above set the size of the buffer to the size used
below, but this keeps things consistent in case the malloc call changes somehow.
r299783:
Convert tok from enum tok to int32_t in function calls
get_token(..) returns int32_t, not enum tok, and in many cases tests for items
not in enum tok (e.g. '('). Make the typing consistent with get_token, which
includes a domino effect of changing enum tok to int32_t.
r299811:
Use strdup instead of malloc + strlcpy
Fix error messages on failure for calloc/strdup
|
|
|
|
|
|
|
|
| |
When clearing rtmsg, pass &rtmsg to bzero() instead of the address of
just the header
Reported by: Coverity
CID: 1007568, 1194256
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r299712:
Fix some trivial clang/gcc warnings in bsnmptc.c
- By definition, `enum snmp_tc` can't be false (the implied starting sequence
index for the enum is 0). Don't test for it being < 0.
- Staticize `struct snmp_text_conv` to mute a -Wmissing-variable-declarations
warning from clang.
- Remove set but unused variable, ptr, in parse_bridge_id(..) and
parse_bport_id(..) to mute warning from gcc 4.9+.
- Mark value and string unused in snmp_inetaddr2oct(..) and parse_inetaddr(..)
as they're just stub functions.
r299759:
Use calloc instead of memset(.., 0, ..) + malloc
r299760:
Sort variables in parse_ascii(..) per style(9)
r299761:
parse_ascii: make count size_t to mute a -Wsign-compare issue
count is always unsigned.
r299762:
Mark snmptoolctx unused in parse_authentication(..), parse_privacy(..),
parse_context(..), and parse_user_security(..).
|
|
|
|
|
|
|
|
| |
Don't walk off the end of the array when proto isn't explicitly
listed above. Instead update the catch-all "Others" bucket.
Reported by: Coverity
CID: 1007571, 1007572
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Set ai2 to NULL in in find_host() before the loop and after calling
freeaddrinfo() on it to indicate that it doesn't point to a valid
addrinfo list. This fixes this Coverity issues:
1006368 Uninitialized pointer read
1018506 Double free
1305590 Resource leak
that can be triggered in the hp->hostname[0] != '\0' case.
Don't treat a character as a boolean.
Fix these Coverity issues:
1009293 Unchecked return value from library
1194246 Wrong size argument
by tweaking the status file extend code.
Reported by: Coverity
CID: 1006368, 1018506, 1305590, 1009293, 1194246
Reviewed by: rmacklem
Feedback from: hrs
Differential Revision: https://reviews.freebsd.org/D6398
|
|
|
|
|
|
|
|
|
|
|
| |
Actually use the loop interation limit so carefully computed on the
previous line to prevent buffer overflow. This turns out to not be
important because the upstream xdr code already capped the object
size at the proper value. Using the correct limit here looks a lot
less scary and should please Coverity.
Reported by: Coverity
CID: 1199309, 1199310
|
|
|
|
|
|
|
| |
Fix an off by one error to avoid overflowing rp[].
Reported by: Coverity
CID: 1007579
|
|
|
|
|
|
|
|
|
| |
NULL releasedfl after calling deallocate_file_lock() which frees it
to avoid a use-after-free error in the debuglog() call at the top
of the loop.
Reported by: Coverity
CID: 1006080
|
|
|
|
|
|
|
|
| |
pdu_delete(request) frees request, so move the call after
login_new_response(request) to avoid a use-after-free error
Reported by: Coverity
CID: 1331219, 1331220
|
|
|
|
|
|
|
|
| |
Don't free fnamebuf before we calling cfgfile_add(). This changes a
use-after-free error into a minor memory leak.
Reported by: Coverity
CID: 1006084
|
|
|
|
|
|
|
|
|
| |
Use strlcpy() instead of strncpy() when copying ifname to ensure
that it is NUL terminated. Additional NUL padding is not required
for short names.
Reported by: Coverity
CID: 1009974
|
|
|
|
|
|
|
|
|
| |
Use strlcpy() instead of strncpy() when copying ifname to ensure
that it is NUL terminated. Additional NUL padding is not required
for short names.
Reported by: Coverity
CID: 991863, 991864, 991865
|
|
|
|
|
|
|
|
|
| |
Use strlcpy() instead of strncpy() when copying ifname to ensure
that it is NUL terminated. Additional NUL padding is not required
for short names.
Reported by: Coverity
CID: 974860, 1009972, 1009973
|
|
|
|
|
|
|
|
|
| |
Use strlcpy() instead of strncpy() when copying ifname to ensure
that it is NUL terminated. Additional NUL padding is not required
for short names.
Reported by: Coverity
CID: 974852
|
|
|
|
|
|
|
| |
Properly compute the size argument to pass to malloc().
Reported by: Coverity
CID: 1198856
|
|
|
|
|
|
|
|
| |
Move a call to cam_freeccb() to avoid a use after free error and
a later double free.
Reported by: Coverity
CID: 1018507
|
|
|
|
|
|
|
|
|
| |
Use strlcpy() instead of strncpy() to ensure that ret->name is
NUL terminated. The source and destination buffers are the same
size and the source *should* be NUL terminated, but be paranoid.
Reported by: Coverity
CID: 1011274
|
|
|
|
|
|
|
|
|
| |
Use strlcpy() instead of strncpy() to ensure that qup->fsname is NUL
terminated. Don't bother checking for truncation since the subsequent
quota_read() should detect that and fail.
Reported by: Coverity
CID: 1009980
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r290903 is needed to prevent a conflict whem merging r299573
r290903 | araujo | 2015-11-15 19:18:40 -0800 (Sun, 15 Nov 2015) | 5 lines
Don't need cast malloc.
r299573 | truckman | 2016-05-12 14:35:40 -0700 (Thu, 12 May 2016) | 10 lines
Use strlcpy() instead of strncpy() when copying to dom_domain to
ensure that the latter is NUL terminated since it is passed
as an argument to *printf().
Warn about NIS domains that are too long.
Reported by: Coverity
CID: 1009620, 1009621
|
|
|
|
|
|
|
| |
Minor spelling fixes in:
tools, share, bluetooth, pmcstat, etc
Many of these have user-visible strings.
|
|
|
|
| |
Fix a typo that prevented pw(8) from setting a user's UID to 0.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r298451:
Don't use `entry` after free in the "already in lists" case
Return with 0 as it isn't an error.
CID: 1006085
Obtained from: Isilon OneFS (part of r493633)
r298452:
Don't try to free `string` (stack allocated char[])
Fix minor style with warnx call while in the neighborhood
CID: 1009683
r298507:
Fix looking for "UTC" at start of ptr by using strnmp instead of improperly
unrolled equivalent
CID: 1347118
r298750:
Use a better idiom for finding UTC prefixed timezones
Instead of copy-pasting the string literal for "UTC" 3 times and using
strlen, use a static char[3] buffer and sizeof(..).
|
|
|
|
| |
Submitted by: Jimmy Olgeni
|