Avoid reading one byte before the path buffer.

This happens when there's only one component (e.g. "/foo"). This (mostly-harmless) bug has been present since June 1990 when it was commited to mountd.c SCCS version 5.9. Note: the bug is on the second changed line, the first line is changed for visual consistency. Reviewed by: cem, emaste, mckusick, rmacklem Found with: CHERI Obtained from: CheriBSD MFC after: 1 week Sponsored by: DARPA Differential Revision: https://reviews.freebsd.org/D25759
2020-07-22 21:44:51 +00:00 · 2020-07-22 21:44:51 +00:00 · d90b364147
commit d90b364147
parent ce53f590ca
1 changed files with 2 additions and 2 deletions
--- a/usr.sbin/mountd/mountd.c
+++ b/usr.sbin/mountd/mountd.c
@ -3155,9 +3155,9 @@ do_mount(struct exportlist *ep, struct grouplist *grp, uint64_t exflags,
 					goto error_exit;
 				}
 				/* back up over the last component */
-				while (*cp == '/' && cp > dirp)
+				while (cp > dirp && *cp == '/')
 					cp--;
-				while (*(cp - 1) != '/' && cp > dirp)
+				while (cp > dirp && *(cp - 1) != '/')
 					cp--;
 				if (cp == dirp) {
 					if (debug)