Fix acpidb CIDs 1011279 (Buffer not null terminated) and 978405 and
1199380 (Resource leak).
load_dsdt() calls strncpy() to copy a filename and Coverity warns
that the destination buffer may not be NUL terminated. Fix this
by using strlcpy() instead. If silent truncation occurs, then the
filename was not valid anyway.
load_dsdt() leaks an fd (CID 978405) and a memory region allocated
using mmap() (CID 1199380) when it returns. Fix these by calling
close() and munmap() as appropriate.
Don't bother fixing the minor memory leak "list", allocated by
AcGetAllTablesFromFile() (CID 1355191).
Check for truncation when creating the temp file name.
Set a flag to indicate that the temp file should be unlinked.
Relying on a strcmp() test could delete the input file in contrived
cases.
Reported by: Coverity
CID: 1011279, 978405, 1199380
Reviewed by: jkim
Differential Revision: https://reviews.freebsd.org/D6368
Fix acpidump CID 1011278 (Buffer not null terminated) and other issues
Coverity reports that a buffer used for temporary file generation
might not be NUL terminated by strncpy(). This is probably not
true because the input gets passed through realpath(), but if the
path name is sufficiently long the name could be truncated and cause
other problems. The code for generating the temp file names is
also overly complex. Instead of a bunch of calls to strncpy() and
and strncat(), simplify the code by using snprintf() and add checks
for unexpected truncation.
The output file created by iasl -d is predictable. Fix this by
using mkdtemp() to create a directory to hold the iasl input and
output files.
Check the return values of more syscalls.
Reported by: Coverity
CID: 1011278
Reviewed by: jkim
Differential Revision: https://reviews.freebsd.org/D6360
------------------------------------------------------------------------
r300224 | ken | 2016-05-19 13:13:43 -0600 (Thu, 19 May 2016) | 12 lines
Adjust a couple of error cases in camdd(8).
usr.sbin/camdd/camdd.c:
In camdd_probe_file(), fix an error case after fstat where
we were bailing out and leaving two lines of cleanup code
unexecuted. Instead, just goto bailout_error.
In camdd_probe_pass(), fail if the sector size is 0.
------------------------------------------------------------------------
Sponsored by: Spectra Logic
r299465 (by cem):
bsnmp: Don't overrun privkey buffer by copying wrong size
The 'priv_key' array is SNMP_PRIV_KEY_SIZ bytes, not SNMP_AUTH_KEY_SIZ.
CIDs: 1008326, 1009675
r299807:
Replace QUADFMT with %ju and QUADXFMT with %jx and cast values with uintmax_t
This will cure some -Wformat warnings
r299808:
Use sizeof(..)s for the destination buffers instead of hardcoded values corresponding
to the destination buffer sizes
r299817:
Use SNMPD_INPUT_FAILED instead of SNMP_CODE_FAILED
SNMPD_INPUT_FAILED is `enum snmpd_input_err` type (which matches the return
code from the function). SNMP_CODE_FAILED is `enum snmp_code` type.
r299831:
Remove NO_WERROR and add WARNS?= 6
This now compiles cleanly on all architectures
Tested with: clang 3.8, gcc 4.2.1, gcc 4.5, make tinderbox
r299832:
Remove trailing whitespace in license tort
r300167 (by glebius):
Revert r299830, it has couple of fatal errors.
The CMSG_ family of macros take care of alignment, so we don't need r299830
at all, even if it was correct. Put NO_WCAST_ALIGN into Makefile.
Together with: peter
r299764:
Use the size of the destination buffer, not the source buffer.
Technically this is a no-op, but mute the clang warning in case the malloc call
above for fstring ever changes in the future
r299765:
Fix theoretical buffer overflow issues in snmp_oid2asn_oid
Increase the size of `string` by 1 to account for the '\0' terminator. In the event
that `str` doesn't contain any non-alpha chars, i would be set to MAXSTR, and
the subsequent strlcpy call would overflow by a character.
Remove unnecessary `string[i] = '\0'` -- this is already handled by strlcpy.
r299767:
Mute sign compare warning by casting rc to u_int to match nbindings' type
rc cannot be negative -- that was already tested for earlier on in
the function
r299769:
Use the size of the destination buffer instead of the malloc size, repeated, in order
to mute a -Wstrlcpy-strlcat-size warning
r299770:
Fix up r299764
I meant to use nitems, not sizeof(..) with the destination buffer. Using sizeof(..)
on a pointer will always truncate the output in the destination buffer incorrectly
Pointyhat to: ngie
r299774:
Do minimal work necessary to cure a -Wunused-but-set-variable warning from gcc
How errno is saved before and restored after strtoul calls needs a rethink
r299802:
Fix up both r299764 and r299770
nitems was wrong too, as it was being tested against a pointer instead of a buffer on
the stack.
Since the old code was just doing malloc, then strlcpy'ing the contents of the source
buffer into the destination buffer, replace it all with a call to strdup..
Supersized Duncecap to: ngie
r299803:
Replace malloc + memset(.., 0, ..) with calloc calls
r299805:
Fix up r299769
Similar to r299802, it was noted that using nitems on scalar pointers is
invalid.
Use strdup instead of malloc + strlcpy (which is what the old code was doing
anyhow).
Pointyhat to: ngie
r299814:
Replace malloc + memset(.., 0, ..) with calloc calls
r299710:
Staticize global variables only used in bsnmpimport.c to fix
-Wmissing-variable-declarations warnings
r299711:
Fold two malloc + memset(.., 0, ..) calls into equivalent calloc calls
r299763:
Mute -Wstrlcpy-strlcat-size warning by using nitems with the size of the buffer
This is a no-op as the malloc above set the size of the buffer to the size used
below, but this keeps things consistent in case the malloc call changes somehow.
r299783:
Convert tok from enum tok to int32_t in function calls
get_token(..) returns int32_t, not enum tok, and in many cases tests for items
not in enum tok (e.g. '('). Make the typing consistent with get_token, which
includes a domino effect of changing enum tok to int32_t.
r299811:
Use strdup instead of malloc + strlcpy
Fix error messages on failure for calloc/strdup
r299712:
Fix some trivial clang/gcc warnings in bsnmptc.c
- By definition, `enum snmp_tc` can't be false (the implied starting sequence
index for the enum is 0). Don't test for it being < 0.
- Staticize `struct snmp_text_conv` to mute a -Wmissing-variable-declarations
warning from clang.
- Remove set but unused variable, ptr, in parse_bridge_id(..) and
parse_bport_id(..) to mute warning from gcc 4.9+.
- Mark value and string unused in snmp_inetaddr2oct(..) and parse_inetaddr(..)
as they're just stub functions.
r299759:
Use calloc instead of memset(.., 0, ..) + malloc
r299760:
Sort variables in parse_ascii(..) per style(9)
r299761:
parse_ascii: make count size_t to mute a -Wsign-compare issue
count is always unsigned.
r299762:
Mark snmptoolctx unused in parse_authentication(..), parse_privacy(..),
parse_context(..), and parse_user_security(..).
Don't walk off the end of the array when proto isn't explicitly
listed above. Instead update the catch-all "Others" bucket.
Reported by: Coverity
CID: 1007571, 1007572
Set ai2 to NULL in in find_host() before the loop and after calling
freeaddrinfo() on it to indicate that it doesn't point to a valid
addrinfo list. This fixes this Coverity issues:
1006368 Uninitialized pointer read
1018506 Double free
1305590 Resource leak
that can be triggered in the hp->hostname[0] != '\0' case.
Don't treat a character as a boolean.
Fix these Coverity issues:
1009293 Unchecked return value from library
1194246 Wrong size argument
by tweaking the status file extend code.
Reported by: Coverity
CID: 1006368, 1018506, 1305590, 1009293, 1194246
Reviewed by: rmacklem
Feedback from: hrs
Differential Revision: https://reviews.freebsd.org/D6398
Actually use the loop interation limit so carefully computed on the
previous line to prevent buffer overflow. This turns out to not be
important because the upstream xdr code already capped the object
size at the proper value. Using the correct limit here looks a lot
less scary and should please Coverity.
Reported by: Coverity
CID: 1199309, 1199310
NULL releasedfl after calling deallocate_file_lock() which frees it
to avoid a use-after-free error in the debuglog() call at the top
of the loop.
Reported by: Coverity
CID: 1006080
pdu_delete(request) frees request, so move the call after
login_new_response(request) to avoid a use-after-free error
Reported by: Coverity
CID: 1331219, 1331220
Use strlcpy() instead of strncpy() when copying ifname to ensure
that it is NUL terminated. Additional NUL padding is not required
for short names.
Reported by: Coverity
CID: 1009974
Use strlcpy() instead of strncpy() when copying ifname to ensure
that it is NUL terminated. Additional NUL padding is not required
for short names.
Reported by: Coverity
CID: 991863, 991864, 991865
Use strlcpy() instead of strncpy() when copying ifname to ensure
that it is NUL terminated. Additional NUL padding is not required
for short names.
Reported by: Coverity
CID: 974860, 1009972, 1009973
Use strlcpy() instead of strncpy() when copying ifname to ensure
that it is NUL terminated. Additional NUL padding is not required
for short names.
Reported by: Coverity
CID: 974852
Use strlcpy() instead of strncpy() to ensure that ret->name is
NUL terminated. The source and destination buffers are the same
size and the source *should* be NUL terminated, but be paranoid.
Reported by: Coverity
CID: 1011274
Use strlcpy() instead of strncpy() to ensure that qup->fsname is NUL
terminated. Don't bother checking for truncation since the subsequent
quota_read() should detect that and fail.
Reported by: Coverity
CID: 1009980
r290903 is needed to prevent a conflict whem merging r299573
r290903 | araujo | 2015-11-15 19:18:40 -0800 (Sun, 15 Nov 2015) | 5 lines
Don't need cast malloc.
r299573 | truckman | 2016-05-12 14:35:40 -0700 (Thu, 12 May 2016) | 10 lines
Use strlcpy() instead of strncpy() when copying to dom_domain to
ensure that the latter is NUL terminated since it is passed
as an argument to *printf().
Warn about NIS domains that are too long.
Reported by: Coverity
CID: 1009620, 1009621
r298451:
Don't use `entry` after free in the "already in lists" case
Return with 0 as it isn't an error.
CID: 1006085
Obtained from: Isilon OneFS (part of r493633)
r298452:
Don't try to free `string` (stack allocated char[])
Fix minor style with warnx call while in the neighborhood
CID: 1009683
r298507:
Fix looking for "UTC" at start of ptr by using strnmp instead of improperly
unrolled equivalent
CID: 1347118
r298750:
Use a better idiom for finding UTC prefixed timezones
Instead of copy-pasting the string literal for "UTC" 3 times and using
strlen, use a static char[3] buffer and sizeof(..).
Note the existence of module-specific jail paramters, starting with the
linux.* parameters when linux emulation is loaded.
MFC r298585:
Encapsulate SYSV IPC objects in jails. Define per-module parameters
sysvmsg, sysvsem, and sysvshm, with the following bahavior:
inherit: allow full access to the IPC primitives. This is the same as
the current setup with allow.sysvipc is on. Jails and the base system
can see (and moduly) each other's objects, which is generally considered
a bad thing (though may be useful in some circumstances).
disable: all no access, same as the current setup with allow.sysvipc off.
new: A jail may see use the IPC objects that it has created. It also
gets its own IPC key namespace, so different jails may have their own
objects using the same key value. The parent jail (or base system) can
see the jail's IPC objects, but not its keys.
PR: 48471
Improvements for PCI passthru devices.
297932:
Handle PBA that shares a page with MSI-X table for passthrough devices.
If the PBA shares a page with the MSI-X table, map the shared page via
/dev/mem and emulate accesses to the portion of the PBA in the shared
page by accessing the mapped page.
298295:
Always emit an error message on passthru configuration errors.
Previously, many errors (such as the PCI device not being attached
to the ppt(4) driver) resulted in bhyve silently exiting without
starting the virtual machine. Now any errors encountered when
configuring a virtual slot for a PCI passthru device should be noted
on stderr.
Define which of the username options (-u/-U) to jexec(8) is the default.
Bump Dd.
PR: 207587
Submitted by: dewayne@heuristicsystems.com.au
Sponsored by: Essen Hackathon 2016
Directly set the O_CLOEXEC flags via the open(2) attributes
Use the SOCK_CLOEXEC flags in the socket(2) 'type' attribute instead of
calling fcntl(2)
Sponsored by: Essen Hackathon
After r288176 [in head] kernel debug files have the extension .debug.
They also moved [in head] to /usr/lib/debug/boot/kernel by default so
in the normal case kldxref does not encounter them. A src.conf(5)
setting may be used to continue installing them in /boot/kernel
though, so have kldxref skip .debug files in addition to .symbols
files.
Merged this change to avoid warnings when a stable/10 kldxref runs
against a head install, perhaps on an upgrade to 11-CURRENT. The change
to kernel debug files will not be merged to stable/10.
Reserve and ignore the a new module metadata type MDT_PNP_INFO for
associating an optional PNP hint table with this module. In the
future, when these are added, these changes will silently ignore the
new type they would otherwise warn about. It will always be safe to
ignore this data. Get this into the builds today for some future
proofing.
syslogd: Enable repeated line compression for lines of any length.
Enable repeated line compression for lines of any length, instead of only short
lines. AFAICT repeated line compression was limited to short lines as a RAM
optimization, which made sense when karels added it in 1988, but no longer.
The penalty is a paltry 904B of RAM per file logged.
- Include usr.sbin/mpsutil for management of mps(4) and mpr(4) utilities.
- Thanks to scottl and bapt for making this happen.
Submitted by: bapt scottl
Reviewed by: kbowling
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D5529
r295768 | asomers | 2016-02-18 13:08:01 -0700 (Thu, 18 Feb 2016) | 14 lines
Fix compiler warnings in iostat
Raise WARNS from 1 to 6 (the default)
Fix warnings:
* Use C99 designated initializers for structs, and initialize all fields
* Mark global variables as static
* Mark unused function arguments
* Be careful about signed/unsigned comparisons
r295900 | asomers | 2016-02-22 14:40:53 -0700 (Mon, 22 Feb 2016) | 10 lines
Fix the usr.sbin/iostat build with GCC, broken by r295768
Renamed some local variables for compatibility with -Wshadow
r293833 | asomers | 2016-01-13 10:33:50 -0700 (Wed, 13 Jan 2016) | 16 lines
Fix Coverity warnings regarding r293229
rpcbind/check_bound.c
Fix CID1347798, a memory leak in mergeaddr.
rpcbind/tests/addrmerge_test.c
Fix CID1347800 through CID1347803, memory leaks in ATF tests. They
are harmless because each ATF test case runs in its own process, but
they are trivial to fix. Fix a few other leaks that Coverity didn't
detect, too.
r293229 | asomers | 2016-01-05 17:00:11 -0700 (Tue, 05 Jan 2016) | 36 lines
"source routing" in rpcbind
Fix a bug in rpcbind for multihomed hosts. If the server had interfaces on
two separate subnets, and a client on the first subnet contacted rpcbind at
the address on the second subnet, rpcbind would advertise addresses on the
first subnet. This is a bug, because it should prefer to advertise the
address where it was contacted. The requested service might be firewalled
off from the address on the first subnet, for example.
usr.sbin/rpcbind/check_bound.c
If the address on which a request was received is known, pass that
to addrmerge as the clnt_uaddr parameter. That is what addrmerge's
comment indicates the parameter is supposed to mean. The previous
behavior is that clnt_uaddr would contain the address from which the
client sent the request.
usr.sbin/rpcbind/util.c
Modify addrmerge to prefer to use an IP that is equal to clnt_uaddr,
if one is found. Refactor the relevant portion of the function for
clarity, and to reduce the number of ifdefs.
etc/mtree/BSD.tests.dist
usr.sbin/rpcbind/tests/Makefile
usr.sbin/rpcbind/tests/addrmerge_test.c
Add unit tests for usr.sbin/rpcbind/util.c:addrmerge.
usr.sbin/rpcbind/check_bound.c
usr.sbin/rpcbind/rpcbind.h
usr.sbin/rpcbind/util.c
Constify some function arguments
