Module Name:    src
Committed By:   christos
Date:           Thu Apr 17 16:05:45 UTC 2014

Modified Files:
        src/sys/dev/ic: mpt_debug.c

Log Message:
CID/1203194, CID/1203195: Out of bounds read


To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 src/sys/dev/ic/mpt_debug.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/mpt_debug.c
diff -u src/sys/dev/ic/mpt_debug.c:1.9 src/sys/dev/ic/mpt_debug.c:1.10
--- src/sys/dev/ic/mpt_debug.c:1.9	Thu Mar 27 14:28:26 2014
+++ src/sys/dev/ic/mpt_debug.c	Thu Apr 17 12:05:45 2014
@@ -1,4 +1,4 @@
-/*	$NetBSD: mpt_debug.c,v 1.9 2014/03/27 18:28:26 christos Exp $	*/
+/*	$NetBSD: mpt_debug.c,v 1.10 2014/04/17 16:05:45 christos Exp $	*/
 
 /*
  * Copyright (c) 2000, 2001 by Greg Ansley
@@ -35,7 +35,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: mpt_debug.c,v 1.9 2014/03/27 18:28:26 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: mpt_debug.c,v 1.10 2014/04/17 16:05:45 christos Exp $");
 
 #include <dev/ic/mpt.h>
 
@@ -201,10 +201,10 @@ mpt_ioc_diag(u_int32_t code)
 		return tbuf;
 	while (status->Error_Code >= 0) {
 		if ((status->Error_Code & code) != 0) {
+			if (len >= sizeof(tbuf))
+				return tbuf;
 			len += snprintf(tbuf + len, sizeof(tbuf) - len, "%s ",
 			    status->Error_String);
-			if (len > sizeof(tbuf))
-				return tbuf;
 		}
 		status++;
 	}
@@ -248,10 +248,10 @@ mpt_scsi_state(int code)
 		return tbuf;
 	while (status->Error_Code >= 0) {
 		if ((status->Error_Code & code) != 0) {
+			if (len >= sizeof(tbuf))
+				return tbuf;
 			len += snprintf(tbuf + len, sizeof(tbuf) - len, "%s ",
 				status->Error_String);
-			if (len > sizeof(tbuf))
-				return tbuf;
 		}
 		status++;
 	}

Reply via email to