The branch main has been updated by jrtc27:
URL:
https://cgit.FreeBSD.org/src/commit/?id=fbfdf57d65bedfab28f9debc8a4a8d6802f9338a
commit fbfdf57d65bedfab28f9debc8a4a8d6802f9338a
Author: Dapeng Gao <dg...@cam.ac.uk>
AuthorDate: 2024-06-03 19:30:36 +0000
Commit: Jessica Clarke <jrt...@freebsd.org>
CommitDate: 2024-06-03 19:30:36 +0000
Fix off-by-one bug in btpand
`ul` reaches `__arraycount(services)` before the bound-check happens,
causing undefined behaviour.
Reviewed by: imp, jrtc27
Fixes: 7718ced0ea98 ("Add btpand(8) daemon from NetBSD.")
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D45463
---
usr.sbin/bluetooth/btpand/btpand.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/usr.sbin/bluetooth/btpand/btpand.c
b/usr.sbin/bluetooth/btpand/btpand.c
index d4bc15823290..f0b29837188f 100644
--- a/usr.sbin/bluetooth/btpand/btpand.c
+++ b/usr.sbin/bluetooth/btpand/btpand.c
@@ -143,11 +143,14 @@ main(int argc, char *argv[])
case 's': /* service */
case 'S': /* service (no SDP) */
- for (ul = 0; strcasecmp(optarg, services[ul].name);
ul++) {
- if (ul == __arraycount(services))
- errx(EXIT_FAILURE, "%s: unknown
service", optarg);
+ for (ul = 0; ul < __arraycount(services); ul++) {
+ if (strcasecmp(optarg, services[ul].name) == 0)
+ break;
}
+ if (ul == __arraycount(services))
+ errx(EXIT_FAILURE, "%s: unknown service",
optarg);
+
if (ch == 's')
service_name = services[ul].name;
