[src/trunk]: src/sys/dev/ic CID/1203192, CID/1203193: Out of bounds read

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/335d8ea47409
branches:  trunk
changeset: 328766:335d8ea47409
user:      christos <christos%NetBSD.org@localhost>
date:      Thu Apr 17 16:04:47 2014 +0000

description:
CID/1203192, CID/1203193: Out of bounds read

diffstat:

 sys/dev/ic/aic79xx.c |  39 ++++++++++++++++++---------------------
 1 files changed, 18 insertions(+), 21 deletions(-)

diffs (76 lines):

diff -r 945a26af354e -r 335d8ea47409 sys/dev/ic/aic79xx.c
--- a/sys/dev/ic/aic79xx.c      Thu Apr 17 16:01:24 2014 +0000
+++ b/sys/dev/ic/aic79xx.c      Thu Apr 17 16:04:47 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: aic79xx.c,v 1.47 2014/03/27 18:28:26 christos Exp $    */
+/*     $NetBSD: aic79xx.c,v 1.48 2014/04/17 16:04:47 christos Exp $    */
 
 /*
  * Core routines and tables shareable across OS platforms.
@@ -49,7 +49,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: aic79xx.c,v 1.47 2014/03/27 18:28:26 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: aic79xx.c,v 1.48 2014/04/17 16:04:47 christos Exp $");
 
 #include <dev/ic/aic79xx_osm.h>
 #include <dev/ic/aic79xx_inline.h>
@@ -8605,13 +8605,11 @@
                *cur_column = 0;
        }
        printed = snprintf(line, sizeof(line), "%s[0x%x]", name, value);
-       if (printed > sizeof(line))
                printed = sizeof(line);
        if (table == NULL) {
-               printed += snprintf(&line[printed], (sizeof line) - printed,
-                   " ");
-               if (printed > sizeof(line))
-                       printed = sizeof(line);
+               if (printed < sizeof(line))
+                   printed += snprintf(&line[printed],
+                       (sizeof line) - printed,
                printf("%s", line);
                if (cur_column != NULL)
                        *cur_column += printed;
@@ -8627,12 +8625,11 @@
                         || ((printed_mask & table[entry].mask)
                          == table[entry].mask))
                                continue;
-                       if (printed > sizeof(line))
-                               printed = sizeof(line);
-                       printed += snprintf(&line[printed],
-                           (sizeof line) - printed, "%s%s",
-                               printed_mask == 0 ? ":(" : "|",
-                               table[entry].name);
+                       if (printed < sizeof(line))
+                           printed += snprintf(&line[printed],
+                               (sizeof line) - printed, "%s%s",
+                                   printed_mask == 0 ? ":(" : "|",
+                                   table[entry].name);
                        printed_mask |= table[entry].mask;
 
                        break;
@@ -8640,14 +8637,14 @@
                if (entry >= num_entries)
                        break;
        }
-       if (printed > sizeof(line))
-               printed = sizeof(line);
-       if (printed_mask != 0)
-               printed += snprintf(&line[printed],
-                   (sizeof line) - printed, ") ");
-       else
-               printed += snprintf(&line[printed],
-                   (sizeof line) - printed, " ");
+       if (printed < sizeof(line)) {
+               if (printed_mask != 0)
+                       printed += snprintf(&line[printed],
+                           (sizeof line) - printed, ") ");
+               else
+                       printed += snprintf(&line[printed],
+                           (sizeof line) - printed, " ");
+       }
        if (cur_column != NULL)
                *cur_column += printed;
        printf("%s", line);