Page MenuHomeFreeBSD

Avoid reading one byte before the path buffer.
ClosedPublic

Authored by brooks on Jul 21 2020, 11:17 PM.

Details

Summary

This happens when there's only one component (e.g. "/foo"). This bug
has been present since June 6, 1990 when it was commited to mountd.c
SCCS version 5.9.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

brooks created this revision.
cem added a subscriber: cem.
cem added inline comments.
usr.sbin/mountd/mountd.c
3158 ↗(On Diff #74764)

I might swap this one too for visual consistency. No functional difference, I think.

This revision is now accepted and ready to land.Jul 22 2020, 12:01 AM

I concur with the proposed change and also agree that cem's suggestion is a good one.

Revision control history is such an ugly reminder of ones fallibility :-)

Looks fine to me too.
And I see that I can't blame Herb Hasler (the guy who wrote mountd.c when
he was working for me long ago. (Btw, I got email from Herb recently.
He'd doing fine, living in TN these days.)

So, just out of curiosity, did this actually cause a crash or was it detected by some debugging
in malloc() or ???

With CHERI (cheri-cpu.org) this causes a crash as pointers have hardware enforced bounds. This is pretty typical of the sort of long standing bug we're finding. I found a similar one in tcsh a few years ago where hitting <tab> on an empty command line read a byte before the beginning of a string.

I'll make cem's suggested change before commit.

This revision was automatically updated to reflect the committed changes.