Module Name: src Committed By: christos Date: Thu Apr 17 16:05:45 UTC 2014
Modified Files: src/sys/dev/ic: mpt_debug.c Log Message: CID/1203194, CID/1203195: Out of bounds read To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/sys/dev/ic/mpt_debug.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/dev/ic/mpt_debug.c diff -u src/sys/dev/ic/mpt_debug.c:1.9 src/sys/dev/ic/mpt_debug.c:1.10 --- src/sys/dev/ic/mpt_debug.c:1.9 Thu Mar 27 14:28:26 2014 +++ src/sys/dev/ic/mpt_debug.c Thu Apr 17 12:05:45 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: mpt_debug.c,v 1.9 2014/03/27 18:28:26 christos Exp $ */ +/* $NetBSD: mpt_debug.c,v 1.10 2014/04/17 16:05:45 christos Exp $ */ /* * Copyright (c) 2000, 2001 by Greg Ansley @@ -35,7 +35,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: mpt_debug.c,v 1.9 2014/03/27 18:28:26 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: mpt_debug.c,v 1.10 2014/04/17 16:05:45 christos Exp $"); #include <dev/ic/mpt.h> @@ -201,10 +201,10 @@ mpt_ioc_diag(u_int32_t code) return tbuf; while (status->Error_Code >= 0) { if ((status->Error_Code & code) != 0) { + if (len >= sizeof(tbuf)) + return tbuf; len += snprintf(tbuf + len, sizeof(tbuf) - len, "%s ", status->Error_String); - if (len > sizeof(tbuf)) - return tbuf; } status++; } @@ -248,10 +248,10 @@ mpt_scsi_state(int code) return tbuf; while (status->Error_Code >= 0) { if ((status->Error_Code & code) != 0) { + if (len >= sizeof(tbuf)) + return tbuf; len += snprintf(tbuf + len, sizeof(tbuf) - len, "%s ", status->Error_String); - if (len > sizeof(tbuf)) - return tbuf; } status++; }