aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBrooks Davis <brooks@FreeBSD.org>2020-07-22 21:44:51 +0000
committerBrooks Davis <brooks@FreeBSD.org>2020-07-22 21:44:51 +0000
commitd90b364147877f0fff25e98ec76d5042bd283c21 (patch)
tree6736bdd65eca6d458b44d2781522dfa4ca938ba6
parentce53f590ca015b38ba58c35f023ae76360082fa6 (diff)
downloadsrc-d90b364147877f0fff25e98ec76d5042bd283c21.tar.gz
src-d90b364147877f0fff25e98ec76d5042bd283c21.zip
Avoid reading one byte before the path buffer.
This happens when there's only one component (e.g. "/foo"). This (mostly-harmless) bug has been present since June 1990 when it was commited to mountd.c SCCS version 5.9. Note: the bug is on the second changed line, the first line is changed for visual consistency. Reviewed by: cem, emaste, mckusick, rmacklem Found with: CHERI Obtained from: CheriBSD MFC after: 1 week Sponsored by: DARPA Differential Revision: https://reviews.freebsd.org/D25759
Notes
Notes: svn path=/head/; revision=363435
-rw-r--r--usr.sbin/mountd/mountd.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/usr.sbin/mountd/mountd.c b/usr.sbin/mountd/mountd.c
index ce059ca81f4e..00e554802f55 100644
--- a/usr.sbin/mountd/mountd.c
+++ b/usr.sbin/mountd/mountd.c
@@ -3155,9 +3155,9 @@ do_mount(struct exportlist *ep, struct grouplist *grp, uint64_t exflags,
goto error_exit;
}
/* back up over the last component */
- while (*cp == '/' && cp > dirp)
+ while (cp > dirp && *cp == '/')
cp--;
- while (*(cp - 1) != '/' && cp > dirp)
+ while (cp > dirp && *(cp - 1) != '/')
cp--;
if (cp == dirp) {
if (debug)