Page MenuHomeFreeBSD

Avoid reading one byte before the path buffer.
ClosedPublic

Authored by brooks on Jul 21 2020, 11:17 PM.

Details

Summary

This happens when there's only one component (e.g. "/foo"). This bug
has been present since June 6, 1990 when it was commited to mountd.c
SCCS version 5.9.

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

brooks created this revision.
cem added a subscriber: cem.
cem added inline comments.
usr.sbin/mountd/mountd.c
3158 ↗(On Diff #74764)

I might swap this one too for visual consistency. No functional difference, I think.

This revision is now accepted and ready to land.Jul 22 2020, 12:01 AM

I concur with the proposed change and also agree that cem's suggestion is a good one.

Revision control history is such an ugly reminder of ones fallibility :-)

Looks fine to me too.
And I see that I can't blame Herb Hasler (the guy who wrote mountd.c when
he was working for me long ago. (Btw, I got email from Herb recently.
He'd doing fine, living in TN these days.)

So, just out of curiosity, did this actually cause a crash or was it detected by some debugging
in malloc() or ???

With CHERI (cheri-cpu.org) this causes a crash as pointers have hardware enforced bounds. This is pretty typical of the sort of long standing bug we're finding. I found a similar one in tcsh a few years ago where hitting <tab> on an empty command line read a byte before the beginning of a string.

I'll make cem's suggested change before commit.

This revision was automatically updated to reflect the committed changes.