Fwd: git: fbfdf57d65be - main - Fix off-by-one bug in btpand

To: tech-userlevel%netbsd.org@localhost
Subject: Fwd: git: fbfdf57d65be - main - Fix off-by-one bug in btpand
From: Jessica Clarke <jrtc27%freebsd.org@localhost>
Date: Mon, 3 Jun 2024 20:37:15 +0100

FYI this bug is still present in your btpand.

Jess

> Begin forwarded message:
> 
> From: Jessica Clarke <jrtc27%FreeBSD.org@localhost>
> Subject: git: fbfdf57d65be - main - Fix off-by-one bug in btpand
> Date: 3 June 2024 at 20:31:02 BST
> To: src-committers%FreeBSD.org@localhost, dev-commits-src-all%FreeBSD.org@localhost, dev-commits-src-main%FreeBSD.org@localhost
> 
> The branch main has been updated by jrtc27:
> 
> URL: https://cgit.FreeBSD.org/src/commit/?id=fbfdf57d65bedfab28f9debc8a4a8d6802f9338a
> 
> commit fbfdf57d65bedfab28f9debc8a4a8d6802f9338a
> Author:     Dapeng Gao <dg612%cam.ac.uk@localhost>
> AuthorDate: 2024-06-03 19:30:36 +0000
> Commit:     Jessica Clarke <jrtc27%FreeBSD.org@localhost>
> CommitDate: 2024-06-03 19:30:36 +0000
> 
>    Fix off-by-one bug in btpand
> 
>    `ul` reaches `__arraycount(services)` before the bound-check happens, causing undefined behaviour.
> 
>    Reviewed by:    imp, jrtc27
>    Fixes:          7718ced0ea98 ("Add btpand(8) daemon from NetBSD.")
>    MFC after:      1 week
>    Differential Revision:  https://reviews.freebsd.org/D45463
> ---
> usr.sbin/bluetooth/btpand/btpand.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
> 
> diff --git a/usr.sbin/bluetooth/btpand/btpand.c b/usr.sbin/bluetooth/btpand/btpand.c
> index d4bc15823290..f0b29837188f 100644
> --- a/usr.sbin/bluetooth/btpand/btpand.c
> +++ b/usr.sbin/bluetooth/btpand/btpand.c
> @@ -143,11 +143,14 @@ main(int argc, char *argv[])
> 
> case 's': /* service */
> case 'S': /* service (no SDP) */
> - for (ul = 0; strcasecmp(optarg, services[ul].name); ul++) {
> - if (ul == __arraycount(services))
> - errx(EXIT_FAILURE, "%s: unknown service", optarg);
> + for (ul = 0; ul < __arraycount(services); ul++) {
> + if (strcasecmp(optarg, services[ul].name) == 0)
> + break;
> }
> 
> + if (ul == __arraycount(services))
> + errx(EXIT_FAILURE, "%s: unknown service", optarg);
> +
> if (ch == 's')
> service_name = services[ul].name;
>

Follow-Ups:
- Re: Fwd: git: fbfdf57d65be - main - Fix off-by-one bug in btpand
  - From: Iain Hibbert

Prev by Date: Re: Proposal: include leap-seconds.list from tzdata
Next by Date: Re: Fwd: git: fbfdf57d65be - main - Fix off-by-one bug in btpand
Previous by Thread: Proposal: include leap-seconds.list from tzdata
Next by Thread: Re: Fwd: git: fbfdf57d65be - main - Fix off-by-one bug in btpand
Indexes:

Home | Main Index | Thread Index | Old Index