Module Name:    src
Committed By:   christos
Date:           Thu Apr 17 16:04:47 UTC 2014

Modified Files:
        src/sys/dev/ic: aic79xx.c

Log Message:
CID/1203192, CID/1203193: Out of bounds read


To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.48 src/sys/dev/ic/aic79xx.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/aic79xx.c
diff -u src/sys/dev/ic/aic79xx.c:1.47 src/sys/dev/ic/aic79xx.c:1.48
--- src/sys/dev/ic/aic79xx.c:1.47	Thu Mar 27 14:28:26 2014
+++ src/sys/dev/ic/aic79xx.c	Thu Apr 17 12:04:47 2014
@@ -1,4 +1,4 @@
-/*	$NetBSD: aic79xx.c,v 1.47 2014/03/27 18:28:26 christos Exp $	*/
+/*	$NetBSD: aic79xx.c,v 1.48 2014/04/17 16:04:47 christos Exp $	*/
 
 /*
  * Core routines and tables shareable across OS platforms.
@@ -49,7 +49,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: aic79xx.c,v 1.47 2014/03/27 18:28:26 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: aic79xx.c,v 1.48 2014/04/17 16:04:47 christos Exp $");
 
 #include <dev/ic/aic79xx_osm.h>
 #include <dev/ic/aic79xx_inline.h>
@@ -8605,13 +8605,11 @@ ahd_print_register(ahd_reg_parse_entry_t
 		*cur_column = 0;
 	}
 	printed = snprintf(line, sizeof(line), "%s[0x%x]", name, value);
-	if (printed > sizeof(line))
 		printed = sizeof(line);
 	if (table == NULL) {
-		printed += snprintf(&line[printed], (sizeof line) - printed,
-		    " ");
-		if (printed > sizeof(line))
-			printed = sizeof(line);
+		if (printed < sizeof(line))
+		    printed += snprintf(&line[printed],
+			(sizeof line) - printed,
 		printf("%s", line);
 		if (cur_column != NULL)
 			*cur_column += printed;
@@ -8627,12 +8625,11 @@ ahd_print_register(ahd_reg_parse_entry_t
 			 || ((printed_mask & table[entry].mask)
 			  == table[entry].mask))
 				continue;
-			if (printed > sizeof(line))
-				printed = sizeof(line);
-			printed += snprintf(&line[printed],
-			    (sizeof line) - printed, "%s%s",
-				printed_mask == 0 ? ":(" : "|",
-				table[entry].name);
+			if (printed < sizeof(line))
+			    printed += snprintf(&line[printed],
+				(sizeof line) - printed, "%s%s",
+				    printed_mask == 0 ? ":(" : "|",
+				    table[entry].name);
 			printed_mask |= table[entry].mask;
 
 			break;
@@ -8640,14 +8637,14 @@ ahd_print_register(ahd_reg_parse_entry_t
 		if (entry >= num_entries)
 			break;
 	}
-	if (printed > sizeof(line))
-		printed = sizeof(line);
-	if (printed_mask != 0)
-		printed += snprintf(&line[printed],
-		    (sizeof line) - printed, ") ");
-	else
-		printed += snprintf(&line[printed],
-		    (sizeof line) - printed, " ");
+	if (printed < sizeof(line)) {
+		if (printed_mask != 0)
+			printed += snprintf(&line[printed],
+			    (sizeof line) - printed, ") ");
+		else
+			printed += snprintf(&line[printed],
+			    (sizeof line) - printed, " ");
+	}
 	if (cur_column != NULL)
 		*cur_column += printed;
 	printf("%s", line);

Reply via email to