From fanf@dotat.at  Thu Nov  9 14:09:37 2000
Return-Path: <fanf@dotat.at>
Received: from hand.dotat.at (sfo-gw.covalent.net [207.44.198.62])
	by hub.freebsd.org (Postfix) with ESMTP id 0D47737B4C5
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  9 Nov 2000 14:09:37 -0800 (PST)
Received: from fanf by hand.dotat.at with local (Exim 3.15 #3)
	id 13tzsy-0002L8-00
	for FreeBSD-gnats-submit@freebsd.org; Thu, 09 Nov 2000 22:09:32 +0000
Message-Id: <E13tzsy-0002L8-00@hand.dotat.at>
Date: Thu, 09 Nov 2000 22:09:32 +0000
From: Tony Finch <dot@dotat.at>
Sender: fanf@dotat.at
Reply-To: Tony Finch <dot@dotat.at>
To: FreeBSD-gnats-submit@freebsd.org
Subject: disklabel crashes if the number of partitions equals MAXPARTITIONS
X-Send-Pr-Version: 3.2

>Number:         22727
>Category:       bin
>Synopsis:       disklabel crashes if the number of partitions equals MAXPARTITIONS
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov 09 14:10:01 PST 2000
>Closed-Date:    Sat Jul 7 09:39:45 PDT 2001
>Last-Modified:  Sat Jul 07 09:40:59 PDT 2001
>Originator:     Tony Finch <dot@dotat.at>
>Release:        FreeBSD 4.2-BETA-20001104 i386
>Organization:
dotat
>Environment:

FreeBSD hand.dotat.at 4.2-BETA-20001104 FreeBSD 4.2-BETA-20001104 #0: Sat Nov  4 22:44:50 UTC 2000     fanf@hand.dotat.at:/FreeBSD/obj/FreeBSD/releng4/sys/DELL-Latitude-CPx  i386

8 partitions:
#        size   offset    fstype   [fsize bsize bps/cpg]
  a:  1606500        0    4.2BSD     1024  8192    16   # (Cyl.    0 - 99)
  b:  1606500  1606500      swap                        # (Cyl.  100 - 199)
  c: 23567292        0    unused        0     0         # (Cyl.    0 - 1466*)
  e:  1606500  3213000    4.2BSD     1024  8192    16   # (Cyl.  200 - 299)
  f:  8032500  4819500    4.2BSD     1024  8192    16   # (Cyl.  300 - 799)
  g:  1606500 12852000   ISO9660                        # (Cyl.  800 - 899)
  h:  1606500 14458500    4.2BSD     1024  8192    16   # (Cyl.  900 - 999)

>Description:

I tried to add another partition to the above configuration and I gave it the
letter 'i'. When I quit the editor, disklabel died from a segmentation fault
on line 841 of disklabel.c because the variable lp had been corrupted. I worked
out that this occurred in getasciilabel() because of an off-by-one error.

While I am here I note that disklabel handles editing the file in a way similar
to the way that crontab used to, until a vulnerability was found recently. I
don't know if it could cause problems, though.

>How-To-Repeat:


>Fix:


Index: disklabel.c
===================================================================
RCS file: /home/ncvs/src/sbin/disklabel/disklabel.c,v
retrieving revision 1.28.2.5
diff -u -r1.28.2.5 disklabel.c
--- disklabel.c	2000/10/31 01:32:23	1.28.2.5
+++ disklabel.c	2000/11/09 22:00:23
@@ -1141,7 +1141,7 @@
 		if ('a' <= *cp && *cp <= 'z' && cp[1] == '\0') {
 			unsigned part = *cp - 'a';
 
-			if (part > lp->d_npartitions) {
+			if (part >= lp->d_npartitions) {
 				fprintf(stderr,
 				    "line %d: bad partition name\n", lineno);
 				errors++;

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: schweikh 
State-Changed-When: Sat Jul 7 09:39:45 PDT 2001 
State-Changed-Why:  
Fixed a while ago in -current and already merged to -stable. 
Thanks, Tony! 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=22727 
>Unformatted:
