>Number:         3161
>Category:       kern
>Synopsis:       ccd(4): off-by-one error in ccdopen() range check
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jan 29 13:35:00 1997
>Last-Modified:
>Originator:     Klaus Klein
>Organization:
private site
>Release:        970129
>Environment:
[mi]

>Description:
ccdopen() performs a range check whether the number of the partition
to be opened is bigger than the d_npartitions value of the ccd's disk
label, which denotes the number of the last entry set in the partition
table, plus 1.

The check should actually test whether the partition number is bigger
than or equal d_npartitions: if your last partiton is 'c' (==2),
d_npartitions will be ==3 (a,b,_c_) and the range check mentioned above
would have no objections against opening partition 'd' (==3).

>How-To-Repeat:
see above.

>Fix:

RCS file: /cvsroot/netbsd/src/sys/dev/ccd.c,v
retrieving revision 1.1.1.1
diff -b -c -r1.1.1.1 ccd.c
*** ccd.c	1996/12/20 13:28:14	1.1.1.1
--- ccd.c	1997/01/29 20:49:44
***************
*** 560,566 ****
  	/* Check that the partition exists. */
  	if (part != RAW_PART) {
  		if (((cs->sc_flags & CCDF_INITED) == 0) ||
! 		    ((part > lp->d_npartitions) ||
  		     (lp->d_partitions[part].p_fstype == FS_UNUSED))) {
  			error = ENXIO;
  			goto done;
--- 560,566 ----
  	/* Check that the partition exists. */
  	if (part != RAW_PART) {
  		if (((cs->sc_flags & CCDF_INITED) == 0) ||
! 		    ((part >= lp->d_npartitions) ||
  		     (lp->d_partitions[part].p_fstype == FS_UNUSED))) {
  			error = ENXIO;
  			goto done;
>Audit-Trail:
>Unformatted: