Fix possible out-of-bounds access detected by Ulrich Spörleins "scan-build".
Some invalid PCI device selectors could cause read access to an initialized variable next to the array (local loop index variable). While here, the parser has been made more strict with regard to the syntax of PCI device selectors as documented in the man-page. E.g. "pci:" used to be interpreted as "pci0:0". MFC after: 3 days
This commit is contained in:
parent
64a3a6304e
commit
a28a4d77b6
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=295806
@ -897,7 +897,6 @@ static struct pcisel
|
||||
parsesel(const char *str)
|
||||
{
|
||||
const char *ep;
|
||||
const char *epbase;
|
||||
char *eppos;
|
||||
struct pcisel sel;
|
||||
unsigned long selarr[4];
|
||||
@ -909,30 +908,27 @@ parsesel(const char *str)
|
||||
else
|
||||
ep = str;
|
||||
|
||||
epbase = ep;
|
||||
|
||||
if (strncmp(ep, "pci", 3) == 0) {
|
||||
ep += 3;
|
||||
i = 0;
|
||||
do {
|
||||
while (isdigit(*ep) && i < 4) {
|
||||
selarr[i++] = strtoul(ep, &eppos, 10);
|
||||
ep = eppos;
|
||||
} while ((*ep == ':' || *ep == '.') && *++ep != '\0' && i < 4);
|
||||
|
||||
if (i > 2)
|
||||
sel.pc_func = selarr[--i];
|
||||
else
|
||||
sel.pc_func = 0;
|
||||
sel.pc_dev = selarr[--i];
|
||||
sel.pc_bus = selarr[--i];
|
||||
if (i > 0)
|
||||
sel.pc_domain = selarr[--i];
|
||||
else
|
||||
sel.pc_domain = 0;
|
||||
if (*ep == ':') {
|
||||
ep++;
|
||||
if (*ep == '\0')
|
||||
i = 0;
|
||||
}
|
||||
}
|
||||
if (i > 0 && *ep == '\0') {
|
||||
sel.pc_func = (i > 2) ? selarr[--i] : 0;
|
||||
sel.pc_dev = (i > 0) ? selarr[--i] : 0;
|
||||
sel.pc_bus = (i > 0) ? selarr[--i] : 0;
|
||||
sel.pc_domain = (i > 0) ? selarr[--i] : 0;
|
||||
return (sel);
|
||||
}
|
||||
}
|
||||
if (*ep != '\x0' || ep == epbase)
|
||||
errx(1, "cannot parse selector %s", str);
|
||||
return sel;
|
||||
errx(1, "cannot parse selector %s", str);
|
||||
}
|
||||
|
||||
static struct pcisel
|
||||
|
Loading…
Reference in New Issue
Block a user