From nobody@FreeBSD.org  Mon Dec 21 12:42:08 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 0ED9D106568F
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 21 Dec 2009 12:42:08 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id F2A148FC1F
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 21 Dec 2009 12:42:07 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id nBLCg714028628
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 21 Dec 2009 12:42:07 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id nBLCg7kl028627;
	Mon, 21 Dec 2009 12:42:07 GMT
	(envelope-from nobody)
Message-Id: <200912211242.nBLCg7kl028627@www.freebsd.org>
Date: Mon, 21 Dec 2009 12:42:07 GMT
From: Henning Petersen <henning.petersen@t-online.de>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Limits in usr.sbin/rtsold/probe.c false
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         141838
>Category:       bin
>Synopsis:       [patch] rtsold(8): Limits in usr.sbin/rtsold/probe.c false
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    delphij
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Dec 21 12:50:00 UTC 2009
>Closed-Date:    Mon Jan 18 05:25:50 UTC 2010
>Last-Modified:  Mon Jan 18 05:30:07 UTC 2010
>Originator:     Henning Petersen
>Release:        Freebsd-current
>Organization:
>Environment:
>Description:
Limits in usr.sbin/rtsold/probe.c false .
>How-To-Repeat:

>Fix:
diff -u -r1.12 probe.c
--- src/usr.sbin/rtsold/probe.c	7 Nov 2007 10:53:41 -0000	1.12
+++ src/usr.sbin/rtsold/probe.c	21 Dec 2009 11:58:37 -0000
@@ -118,7 +118,7 @@
 		goto closeandend;
 	}
 
-	for (i = 0; dr.defrouter[i].if_index && i < PRLSTSIZ; i++) {
+	for (i = 0; i < DRLSTSIZ && dr.defrouter[i].if_index; i++) {
 		if (ifindex && dr.defrouter[i].if_index == ifindex) {
 			/* sanity check */
 			if (!IN6_IS_ADDR_LINKLOCAL(&dr.defrouter[i].rtaddr)) {


Patch attached with submission follows:

Index: src/usr.sbin/rtsold/probe.c
===================================================================
RCS file: /usr/ncvs/src/usr.sbin/rtsold/probe.c,v
retrieving revision 1.12
diff -u -r1.12 probe.c
--- src/usr.sbin/rtsold/probe.c	7 Nov 2007 10:53:41 -0000	1.12
+++ src/usr.sbin/rtsold/probe.c	21 Dec 2009 11:58:37 -0000
@@ -118,7 +118,7 @@
 		goto closeandend;
 	}
 
-	for (i = 0; dr.defrouter[i].if_index && i < PRLSTSIZ; i++) {
+	for (i = 0; i < DRLSTSIZ && dr.defrouter[i].if_index; i++) {
 		if (ifindex && dr.defrouter[i].if_index == ifindex) {
 			/* sanity check */
 			if (!IN6_IS_ADDR_LINKLOCAL(&dr.defrouter[i].rtaddr)) {


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->delphij 
Responsible-Changed-By: delphij 
Responsible-Changed-When: Mon Jan 4 18:00:23 UTC 2010 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=141838 
State-Changed-From-To: open->patched 
State-Changed-By: delphij 
State-Changed-When: Mon Jan 4 18:04:49 UTC 2010 
State-Changed-Why:  
Patched against -HEAD, MFC reminder. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=141838 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/141838: commit references a PR
Date: Mon,  4 Jan 2010 18:04:48 +0000 (UTC)

 Author: delphij
 Date: Mon Jan  4 18:04:36 2010
 New Revision: 201520
 URL: http://svn.freebsd.org/changeset/base/201520
 
 Log:
   Test index value is within the range before using it to reference
   array member.
   
   PR:		bin/141838
   Submitted by:	Henning Petersen <henning.petersen@t-online.de>
   MFC after:	2 weeks
 
 Modified:
   head/usr.sbin/rtsold/probe.c
 
 Modified: head/usr.sbin/rtsold/probe.c
 ==============================================================================
 --- head/usr.sbin/rtsold/probe.c	Mon Jan  4 17:28:59 2010	(r201519)
 +++ head/usr.sbin/rtsold/probe.c	Mon Jan  4 18:04:36 2010	(r201520)
 @@ -118,7 +118,7 @@ defrouter_probe(struct ifinfo *ifinfo)
  		goto closeandend;
  	}
  
 -	for (i = 0; dr.defrouter[i].if_index && i < PRLSTSIZ; i++) {
 +	for (i = 0; i < DRLSTSIZ && dr.defrouter[i].if_index; i++) {
  		if (ifindex && dr.defrouter[i].if_index == ifindex) {
  			/* sanity check */
  			if (!IN6_IS_ADDR_LINKLOCAL(&dr.defrouter[i].rtaddr)) {
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/141838: commit references a PR
Date: Mon, 18 Jan 2010 04:58:30 +0000 (UTC)

 Author: delphij
 Date: Mon Jan 18 04:58:14 2010
 New Revision: 202548
 URL: http://svn.freebsd.org/changeset/base/202548
 
 Log:
   MFC r210520:
   
   Test index value is within the range before using it to reference
   array member.
   
   PR:		bin/141838
   Submitted by:	Henning Petersen <henning.petersen@t-online.de>
 
 Modified:
   stable/8/usr.sbin/rtsold/probe.c
 Directory Properties:
   stable/8/usr.sbin/rtsold/   (props changed)
 
 Modified: stable/8/usr.sbin/rtsold/probe.c
 ==============================================================================
 --- stable/8/usr.sbin/rtsold/probe.c	Mon Jan 18 04:08:43 2010	(r202547)
 +++ stable/8/usr.sbin/rtsold/probe.c	Mon Jan 18 04:58:14 2010	(r202548)
 @@ -118,7 +118,7 @@ defrouter_probe(struct ifinfo *ifinfo)
  		goto closeandend;
  	}
  
 -	for (i = 0; dr.defrouter[i].if_index && i < PRLSTSIZ; i++) {
 +	for (i = 0; i < DRLSTSIZ && dr.defrouter[i].if_index; i++) {
  		if (ifindex && dr.defrouter[i].if_index == ifindex) {
  			/* sanity check */
  			if (!IN6_IS_ADDR_LINKLOCAL(&dr.defrouter[i].rtaddr)) {
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: delphij 
State-Changed-When: Mon Jan 18 05:25:29 UTC 2010 
State-Changed-Why:  
Patch applied against 7-STABLE and 8-STABLE, thanks for 
your submission! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=141838 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/141838: commit references a PR
Date: Mon, 18 Jan 2010 05:22:41 +0000 (UTC)

 Author: delphij
 Date: Mon Jan 18 05:22:27 2010
 New Revision: 202550
 URL: http://svn.freebsd.org/changeset/base/202550
 
 Log:
   MFC r201520:
   
   Test index value is within the range before using it to reference
   array member.
   
   PR:		bin/141838
   Submitted by:	Henning Petersen <henning.petersen@t-online.de>
 
 Modified:
   stable/7/usr.sbin/rtsold/probe.c
 Directory Properties:
   stable/7/usr.sbin/rtsold/   (props changed)
 
 Modified: stable/7/usr.sbin/rtsold/probe.c
 ==============================================================================
 --- stable/7/usr.sbin/rtsold/probe.c	Mon Jan 18 05:03:40 2010	(r202549)
 +++ stable/7/usr.sbin/rtsold/probe.c	Mon Jan 18 05:22:27 2010	(r202550)
 @@ -118,7 +118,7 @@ defrouter_probe(struct ifinfo *ifinfo)
  		goto closeandend;
  	}
  
 -	for (i = 0; dr.defrouter[i].if_index && i < PRLSTSIZ; i++) {
 +	for (i = 0; i < DRLSTSIZ && dr.defrouter[i].if_index; i++) {
  		if (ifindex && dr.defrouter[i].if_index == ifindex) {
  			/* sanity check */
  			if (!IN6_IS_ADDR_LINKLOCAL(&dr.defrouter[i].rtaddr)) {
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
