Author: brooks Date: Wed Jul 22 21:44:51 2020 New Revision: 363435 URL: https://svnweb.freebsd.org/changeset/base/363435
Log: Avoid reading one byte before the path buffer. This happens when there's only one component (e.g. "/foo"). This (mostly-harmless) bug has been present since June 1990 when it was commited to mountd.c SCCS version 5.9. Note: the bug is on the second changed line, the first line is changed for visual consistency. Reviewed by: cem, emaste, mckusick, rmacklem Found with: CHERI Obtained from: CheriBSD MFC after: 1 week Sponsored by: DARPA Differential Revision: https://reviews.freebsd.org/D25759 Modified: head/usr.sbin/mountd/mountd.c Modified: head/usr.sbin/mountd/mountd.c ============================================================================== --- head/usr.sbin/mountd/mountd.c Wed Jul 22 21:30:18 2020 (r363434) +++ head/usr.sbin/mountd/mountd.c Wed Jul 22 21:44:51 2020 (r363435) @@ -3155,9 +3155,9 @@ do_mount(struct exportlist *ep, struct grouplist *grp, goto error_exit; } /* back up over the last component */ - while (*cp == '/' && cp > dirp) + while (cp > dirp && *cp == '/') cp--; - while (*(cp - 1) != '/' && cp > dirp) + while (cp > dirp && *(cp - 1) != '/') cp--; if (cp == dirp) { if (debug) _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
