Correct an out of bounds read with HN_AUTOSCALE and very large numbers.

The maximum scale is 6 (K, M, G, T, P, E) (B is 0).

Overly large explict scales were checked correctly, but for sufficently
large numbers HN_AUTOSCALE would get to 7 resulting in an out of bounds
read.

Found with humanize_number_test and CHERI bounds checking.

Reviewed by:	emaste
Obtained from:	CheriBSD
MFC after:	1 week
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D10376
This commit is contained in:
brooks 2017-04-13 15:49:32 +00:00
parent 434a9744e1
commit 5c721276a4

View File

@ -43,7 +43,7 @@ __FBSDID("$FreeBSD$");
#include <locale.h>
#include <libutil.h>
static const int maxscale = 7;
static const int maxscale = 6;
int
humanize_number(char *buf, size_t len, int64_t quotient,
@ -64,7 +64,7 @@ humanize_number(char *buf, size_t len, int64_t quotient,
return (-1);
if (scale < 0)
return (-1);
else if (scale >= maxscale &&
else if (scale > maxscale &&
((scale & ~(HN_AUTOSCALE|HN_GETSCALE)) != 0))
return (-1);
if ((flags & HN_DIVISOR_1000) && (flags & HN_IEC_PREFIXES))