From ee4b1561b480b13a5b2f79327507ab2f86d07aeb Mon Sep 17 00:00:00 2001 From: asomers Date: Thu, 2 Feb 2017 19:50:28 +0000 Subject: [PATCH] MFC r311160, r311210, r311288, r311292, r311298, r311340 r311160: misc minor fixes in mpr(4) sys/dev/mpr/mpr_sas.c * Fix a potential null pointer dereference (CID 1305731) * Check for overrun of the ccb_scsiio.cdb_io.cdb_bytes buffer (CID 1211934) sys/dev/mpr/mpr_sas_lsi.c * Nullify a dangling pointer in mprsas_get_sata_identify * Fix a memory leak in mprsas_SSU_to_SATA_devices (CID 1211935) Reported by: Coverity (partially) CID: 1305731 1211934 1211935 Reviewed by: slm MFC after: 4 weeks Sponsored by: Spectra Logic Corp Differential Revision: https://reviews.freebsd.org/D8880 r311210: Quell Coverity for diskinfo(8) * CID 1198994: Don't run the speed disk on a disk with no sectors * CID 1011442: Don't call close(2) if open(2) fails * CID 1011161: Use snprintf instead of sprintf * CID 1009825: Check the return value of lseek Reported by: Coverity CID: 1198994 1011442 1011161 1009825 MFC after: 4 weeks Sponsored by: Spectra Logic Corp r311288: Delete dead code in chat(8) It's always been dead, ever since first import in 1994. It's still dead in OpenBSD's version, too. Reported by: Coverity CID: 270586 MFC after: 4 weeks Sponsored by: Spectra Logic Corp r311292: Remove dead code in rpc_parse.c It's been dead ever since it was imported from TI-RPC in 1995. The dead code is still present in Illumos today, but was removed from NetBSD in 2006. Reported by: Coverity CID: 270097 Obtained from: NetBSD MFC after: 4 weeks Sponsored by: Spectra Logic Corp r311298: Remove dead code in dhclient(8) The offending code has been dead ever since the import from OpenBSD in r195805. OpenBSD later deleted that entire function. Reported by: Coverity CID: 500059 MFC after: 4 weeks Sponsored by: Spectra Logic Corp r311340: Misc Coverity fixes for tail(1) CID 1006402: Initialize stack variable CID 271580: Don't leak memory when ENOMEM. Reported by: Coverity CID: 271580 1006402 MFC after: 4 weeks Sponsored by: Spectra Logic Corp git-svn-id: svn://svn.freebsd.org/base/stable/10@313103 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- sbin/dhclient/dispatch.c | 8 ++------ sys/dev/mpr/mpr_sas.c | 7 ++++++- sys/dev/mpr/mpr_sas_lsi.c | 15 ++++++++------- usr.bin/chat/chat.c | 9 +-------- usr.bin/rpcgen/rpc_parse.c | 10 ---------- usr.bin/tail/reverse.c | 9 ++++++++- usr.sbin/diskinfo/diskinfo.c | 11 +++++++---- 7 files changed, 32 insertions(+), 37 deletions(-) diff --git a/sbin/dhclient/dispatch.c b/sbin/dhclient/dispatch.c index 3317ceb01..d493717e5 100644 --- a/sbin/dhclient/dispatch.c +++ b/sbin/dhclient/dispatch.c @@ -453,16 +453,12 @@ add_protocol(char *name, int fd, void (*handler)(struct protocol *), void remove_protocol(struct protocol *proto) { - struct protocol *p, *next, *prev; + struct protocol *p, *next; - prev = NULL; for (p = protocols; p; p = next) { next = p->next; if (p == proto) { - if (prev) - prev->next = p->next; - else - protocols = p->next; + protocols = p->next; free(p); } } diff --git a/sys/dev/mpr/mpr_sas.c b/sys/dev/mpr/mpr_sas.c index d44e50261..c9d83d8ba 100644 --- a/sys/dev/mpr/mpr_sas.c +++ b/sys/dev/mpr/mpr_sas.c @@ -1846,8 +1846,12 @@ mprsas_action_scsiio(struct mprsas_softc *sassc, union ccb *ccb) if (csio->ccb_h.flags & CAM_CDB_POINTER) bcopy(csio->cdb_io.cdb_ptr, &req->CDB.CDB32[0], csio->cdb_len); - else + else { + KASSERT(csio->cdb_len <= IOCDBLEN, + ("cdb_len %d is greater than IOCDBLEN but CAM_CDB_POINTER is not set", + csio->cdb_len)); bcopy(csio->cdb_io.cdb_bytes, &req->CDB.CDB32[0],csio->cdb_len); + } req->IoFlags = htole16(csio->cdb_len); /* @@ -2429,6 +2433,7 @@ mprsas_scsiio_complete(struct mpr_softc *sc, struct mpr_command *cm) * driver is being shutdown. */ if ((csio->cdb_io.cdb_bytes[0] == INQUIRY) && + (csio->data_ptr != NULL) && ((csio->data_ptr[0] & 0x1f) == T_DIRECT) && (sc->mapping_table[target_id].device_info & MPI2_SAS_DEVICE_INFO_SATA_DEVICE) && diff --git a/sys/dev/mpr/mpr_sas_lsi.c b/sys/dev/mpr/mpr_sas_lsi.c index 73e2f546f..1eb78d1db 100644 --- a/sys/dev/mpr/mpr_sas_lsi.c +++ b/sys/dev/mpr/mpr_sas_lsi.c @@ -1056,6 +1056,7 @@ mprsas_get_sata_identify(struct mpr_softc *sc, u16 handle, mpr_free_command(sc, cm); else if (error == 0) error = EWOULDBLOCK; + cm->cm_data = NULL; free(buffer, M_MPR); return (error); } @@ -1196,18 +1197,18 @@ mprsas_SSU_to_SATA_devices(struct mpr_softc *sc) continue; } - ccb = xpt_alloc_ccb_nowait(); - if (ccb == NULL) { - mpr_dprint(sc, MPR_FAULT, "Unable to alloc CCB to stop " - "unit.\n"); - return; - } - /* * The stop_at_shutdown flag will be set if this device is * a SATA direct-access end device. */ if (target->stop_at_shutdown) { + ccb = xpt_alloc_ccb_nowait(); + if (ccb == NULL) { + mpr_dprint(sc, MPR_FAULT, "Unable to alloc CCB to stop " + "unit.\n"); + return; + } + if (xpt_create_path(&ccb->ccb_h.path, xpt_periph, pathid, targetid, CAM_LUN_WILDCARD) != CAM_REQ_CMP) { diff --git a/usr.bin/chat/chat.c b/usr.bin/chat/chat.c index fa2df10d5..c82a13019 100644 --- a/usr.bin/chat/chat.c +++ b/usr.bin/chat/chat.c @@ -1173,7 +1173,7 @@ int get_string(char *string) { char temp[STR_LEN]; - int c, printed = 0; + int c; size_t len, minlen; char *s = temp, *end = s + STR_LEN; char *logged = temp; @@ -1306,13 +1306,6 @@ get_string(char *string) alarm(0); - if (verbose && printed) { - if (alarmed) - chat_logf(" -- read timed out"); - else - chat_logf(" -- read failed: %m"); - } - exit_code = 3; alarmed = 0; return (0); diff --git a/usr.bin/rpcgen/rpc_parse.c b/usr.bin/rpcgen/rpc_parse.c index f7f857a0c..9f8803337 100644 --- a/usr.bin/rpcgen/rpc_parse.c +++ b/usr.bin/rpcgen/rpc_parse.c @@ -290,7 +290,6 @@ def_union(definition *defp) declaration dec; case_list *cases; case_list **tailp; - int flag; defp->def_kind = DEF_UNION; scan(TOK_IDENT, &tok); @@ -309,7 +308,6 @@ def_union(definition *defp) cases->case_name = tok.str; scan(TOK_COLON, &tok); /* now peek at next token */ - flag = 0; if (peekscan(TOK_CASE, &tok)){ do { scan2(TOK_IDENT, TOK_CHARCONST, &tok); @@ -322,14 +320,6 @@ def_union(definition *defp) scan(TOK_COLON, &tok); } while (peekscan(TOK_CASE, &tok)); } - else - if (flag) - { - - *tailp = cases; - tailp = &cases->next; - cases = XALLOC(case_list); - }; get_declaration(&dec, DEF_UNION); cases->case_decl = dec; diff --git a/usr.bin/tail/reverse.c b/usr.bin/tail/reverse.c index 511f88c02..87269051e 100644 --- a/usr.bin/tail/reverse.c +++ b/usr.bin/tail/reverse.c @@ -117,6 +117,7 @@ r_reg(FILE *fp, const char *fn, enum STYLE style, off_t off, struct stat *sbp) map.start = NULL; map.mapoff = map.maxoff = size; map.fd = fileno(fp); + map.maplen = 0; /* * Last char is special, ignore whether newline or not. Note that @@ -205,7 +206,13 @@ r_buf(FILE *fp, const char *fn) (tl->l = malloc(BSZ)) == NULL) { if (!mark) err(1, "malloc"); - tl = enomem ? tl->next : mark; + if (enomem) + tl = tl->next; + else { + if (tl) + free(tl); + tl = mark; + } enomem += tl->len; } else if (mark) { tl->next = mark; diff --git a/usr.sbin/diskinfo/diskinfo.c b/usr.sbin/diskinfo/diskinfo.c index 90beba233..dac7d12c4 100644 --- a/usr.sbin/diskinfo/diskinfo.c +++ b/usr.sbin/diskinfo/diskinfo.c @@ -89,13 +89,12 @@ main(int argc, char **argv) for (i = 0; i < argc; i++) { fd = open(argv[i], O_RDONLY); if (fd < 0 && errno == ENOENT && *argv[i] != '/') { - sprintf(buf, "%s%s", _PATH_DEV, argv[i]); + snprintf(buf, BUFSIZ, "%s%s", _PATH_DEV, argv[i]); fd = open(buf, O_RDONLY); } if (fd < 0) { warn("%s", argv[i]); - exitval = 1; - goto out; + exit(1); } error = ioctl(fd, DIOCGMEDIASIZE, &mediasize); if (error) { @@ -176,7 +175,8 @@ rdsect(int fd, off_t blockno, u_int sectorsize) { int error; - lseek(fd, (off_t)blockno * sectorsize, SEEK_SET); + if (lseek(fd, (off_t)blockno * sectorsize, SEEK_SET) == -1) + err(1, "lseek"); error = read(fd, sector, sectorsize); if (error == -1) err(1, "read"); @@ -241,6 +241,9 @@ speeddisk(int fd, off_t mediasize, u_int sectorsize) off_t b0, b1, sectorcount, step; sectorcount = mediasize / sectorsize; + if (sectorcount <= 0) + return; /* Can't test devices with no sectors */ + step = 1ULL << (flsll(sectorcount / (4 * 200)) - 1); if (step > 16384) step = 16384; -- 2.45.0