From igor@linux.qx.pl  Thu Sep 11 02:43:58 2003
Return-Path: <igor@linux.qx.pl>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1E9E416A4BF
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 11 Sep 2003 02:43:58 -0700 (PDT)
Received: from escargot.linux.qx.pl (FreeBSD.rzepaknet.us [213.216.79.99])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4645543F85
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 11 Sep 2003 02:43:56 -0700 (PDT)
	(envelope-from igor@linux.qx.pl)
Received: from igor by escargot.linux.qx.pl with local (Exim 4.22)
	id 19xNzn-0002FV-Nh
	for FreeBSD-gnats-submit@freebsd.org; Thu, 11 Sep 2003 11:44:11 +0200
Message-Id: <E19xNzn-0002FV-Nh@escargot.linux.qx.pl>
Date: Thu, 11 Sep 2003 11:44:11 +0200
From: Igor Truszkowski <igort@intergate.pl>
Reply-To: Igor Truszkowski <igort@intergate.pl>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: atacontrol core dump (sscanf on unintialized pointer)
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         56696
>Category:       bin
>Synopsis:       atacontrol core dump (sscanf on unintialized pointer)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    johan
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 11 02:50:07 PDT 2003
>Closed-Date:    Sun Jan 11 09:55:23 PST 2004
>Last-Modified:  Sun Jan 11 09:55:23 PST 2004
>Originator:     Igor Truszkowski
>Release:        FreeBSD 4.8-STABLE i386
>Organization:
<Intergate sp. z o.o.>
>Environment:
System: FreeBSD escargot.linux.qx.pl 4.8-STABLE FreeBSD 4.8-STABLE #0: Tue Aug 5 13:24:45 CEST 2003 igor@escargot.truszkowski.one.pl:/vol1/obj/vol1/src/sys/ESCARGOT i386

	Probably all architectures, tested on 4.8-STABLE and current RELENG_4
	(4.9-PRERELEASE) on i386 arch.

>Description:
	atacontrol in create mode (atacontrol create) does not check
	whether argv[2] and argv[3] are initialized before performing
	sscanf() on these pointers.

>How-To-Repeat:
	just run `atacontrol create` or `atacontrol create RAID1`
	without additional arguments.

>Fix:

	Problem is located near lines #306 and #320 in atacontrol.c.

>Release-Note:
>Audit-Trail:

From: Maxim Konovalov <maxim@macomnet.ru>
To: Igor Truszkowski <igort@intergate.pl>
Cc: sos@freebsd.org, bug-followup@freebsd.org
Subject: Re: bin/56696: atacontrol core dump (sscanf on unintialized pointer)
Date: Mon, 13 Oct 2003 18:27:41 +0400 (MSD)

 Please try enclosed patch.
 
 Index: atacontrol.c
 ===================================================================
 RCS file: /home/ncvs/src/sbin/atacontrol/atacontrol.c,v
 retrieving revision 1.26
 diff -u -r1.26 atacontrol.c
 --- atacontrol.c	24 Aug 2003 09:23:54 -0000	1.26
 +++ atacontrol.c	13 Oct 2003 14:22:34 -0000
 @@ -339,14 +339,19 @@
  		int disk, dev, offset;
 
  		iocmd.cmd = ATARAIDCREATE;
 -		if (!strcmp(argv[2], "RAID0") || !strcmp(argv[2], "stripe"))
 -			iocmd.u.raid_setup.type = 1;
 -		if (!strcmp(argv[2], "RAID1") || !strcmp(argv[2],"mirror"))
 -			iocmd.u.raid_setup.type = 2;
 -		if (!strcmp(argv[2], "RAID0+1"))
 -			iocmd.u.raid_setup.type = 3;
 -		if (!strcmp(argv[2], "SPAN") || !strcmp(argv[2], "JBOD"))
 -			iocmd.u.raid_setup.type = 4;
 +		if (argc > 2) {
 +			if (!strcmp(argv[2], "RAID0") ||
 +			    !strcmp(argv[2], "stripe"))
 +				iocmd.u.raid_setup.type = 1;
 +			if (!strcmp(argv[2], "RAID1") ||
 +			    !strcmp(argv[2], "mirror"))
 +				iocmd.u.raid_setup.type = 2;
 +			if (!strcmp(argv[2], "RAID0+1"))
 +				iocmd.u.raid_setup.type = 3;
 +			if (!strcmp(argv[2], "SPAN") ||
 +			    !strcmp(argv[2], "JBOD"))
 +				iocmd.u.raid_setup.type = 4;
 +		}
  		if (!iocmd.u.raid_setup.type) {
  			fprintf(stderr, "atacontrol: Invalid RAID type\n");
  			fprintf(stderr, "atacontrol: Valid RAID types : \n");
 @@ -356,7 +361,7 @@
  		}
 
  		if (iocmd.u.raid_setup.type & 1) {
 -			if (!sscanf(argv[3], "%d",
 +			if (argc < 4 || !sscanf(argv[3], "%d",
  				    &iocmd.u.raid_setup.interleave) == 1) {
  				fprintf(stderr, "atacontrol: Invalid interleave\n");
  				exit(EX_USAGE);
 %%%
 
 -- 
 Maxim Konovalov, maxim@macomnet.ru, maxim@FreeBSD.org
Responsible-Changed-From-To: freebsd-bugs->johan 
Responsible-Changed-By: johan 
Responsible-Changed-When: Wed Nov 5 13:05:52 PST 2003 
Responsible-Changed-Why:  
I'll take care of this one. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=56696 
State-Changed-From-To: open->patched 
State-Changed-By: johan 
State-Changed-When: Wed Nov 5 13:56:39 PST 2003 
State-Changed-Why:  
Committed to current. I will MFC in two weeks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=56696 
State-Changed-From-To: patched->closed 
State-Changed-By: johan 
State-Changed-When: Sun Jan 11 09:54:57 PST 2004 
State-Changed-Why:  
I finally found time to MFC this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=56696 
>Unformatted:
