From dan@kulesh.obluda.cz  Sat Sep 11 17:03:29 2004
Return-Path: <dan@kulesh.obluda.cz>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5B7E316A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 11 Sep 2004 17:03:29 +0000 (GMT)
Received: from kulesh.obluda.cz (kulesh.obluda.cz [193.179.22.243])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A189B43D45
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 11 Sep 2004 17:03:27 +0000 (GMT)
	(envelope-from dan@kulesh.obluda.cz)
Received: from kulesh.obluda.cz (localhost.eunet.cz [127.0.0.1])
	by kulesh.obluda.cz (8.13.1/8.13.1) with ESMTP id i8BH3ENP002459
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 11 Sep 2004 19:03:15 +0200 (CEST)
	(envelope-from dan@kulesh.obluda.cz)
Received: (from root@localhost)
	by kulesh.obluda.cz (8.13.1/8.13.1/Submit) id i8BH3EMm002458;
	Sat, 11 Sep 2004 19:03:14 +0200 (CEST)
	(envelope-from dan)
Message-Id: <200409111703.i8BH3EMm002458@kulesh.obluda.cz>
Date: Sat, 11 Sep 2004 19:03:14 +0200 (CEST)
From: Dan Lukes <dan@obluda.cz>
Reply-To: Dan Lukes <dan@obluda.cz>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [PATCH] uninitialized "len" used instead of "slen" within usr.sbin/setkey code
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         71602
>Category:       bin
>Synopsis:       [patch] uninitialized "len" used instead of "slen" within setkey(8) code
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Sep 11 17:10:17 GMT 2004
>Closed-Date:    
>Last-Modified:  Sat May 24 20:45:20 UTC 2008
>Originator:     Dan Lukes
>Release:        FreeBSD 5.3-BETA3 i386
>Organization:
Obludarium
>Environment:
System: FreeBSD kulesh.obluda.cz 5.3-BETA3 FreeBSD 5.3-BETA3 #8: Sun Sep 5 07:06:40 CEST 2004 dan@kulesh.obluda.cz:/usr/obj/usr/src/sys/Dan i386
$FreeBSD: usr.sbin/setkey/parse.y,v 1.7 2004/05/13 15:46:28 ume
$FreeBSD: usr.sbin/setkey/Makefile,v 1.11 2003/11/05 09:47:54 ume

>Description:
usr.sbin/setkey/parse.y:992: warning: 'len' might be used uninitialized in this function
* This warning point to true error as there should not be used uninitialized 'len'
* but 'slen' variable

usr.sbin/setkey/parse.y:1186: warning: 'p2' might be used uninitialized in this function
* This warning point to real error as p2 can be used uninitialised
* really. There are other error also near it - 'p' is incremented, but 'l'
* not.

In advance, I'm eliminating those warnings:
usr.sbin/setkey/parse.y:1023: warning: dereferencing type-punned pointer will break strict-aliasing rules
usr.sbin/setkey/parse.y:1039: warning: dereferencing type-punned pointer will break strict-aliasing rules

>How-To-Repeat:
	N/A
>Fix:
*** usr.sbin/setkey/Makefile.ORIG	Fri Nov 14 03:55:16 2003
--- usr.sbin/setkey/Makefile	Tue Sep  7 19:35:13 2004
***************
*** 31,37 ****
  MAN=	setkey.8
  SRCS=	setkey.c parse.y token.l
  
! CFLAGS+= -I${.CURDIR} -I${.CURDIR}/../../lib/libipsec
  YFLAGS=	-d
  
  DPADD=	${LIBL} ${LIBY}
--- 31,37 ----
  MAN=	setkey.8
  SRCS=	setkey.c parse.y token.l
  
! CFLAGS+= -I${.CURDIR} -I${.CURDIR}/../../lib/libipsec -fno-strict-aliasing
  YFLAGS=	-d
  
  DPADD=	${LIBL} ${LIBY}
*** usr.sbin/setkey/parse.y.ORIG	Tue May 18 22:20:16 2004
--- usr.sbin/setkey/parse.y	Tue Sep  7 19:56:37 2004
***************
*** 1053,1059 ****
  		m_lt.sadb_lifetime_usetime = 0;
  
  		memcpy(buf + l, &m_lt, slen);
! 		l += len;
  	}
  
  	/* set lifetime for SOFT */
--- 1053,1059 ----
  		m_lt.sadb_lifetime_usetime = 0;
  
  		memcpy(buf + l, &m_lt, slen);
! 		l += slen;
  	}
  
  	/* set lifetime for SOFT */
***************
*** 1069,1075 ****
  		m_lt.sadb_lifetime_usetime = 0;
  
  		memcpy(buf + l, &m_lt, slen);
! 		l += len;
  	}
  
  	len = sizeof(struct sadb_sa);
--- 1069,1075 ----
  		m_lt.sadb_lifetime_usetime = 0;
  
  		memcpy(buf + l, &m_lt, slen);
! 		l += slen;
  	}
  
  	len = sizeof(struct sadb_sa);
***************
*** 1195,1203 ****
  		if (*p == ',') {
  			*p = '\0';
  			p2 = ++p;
  		}
- 		for (p = p2; *p != '\0' && l < spec->len; p++, l++)
- 			;
  		if (*p != '\0' || *p2 == '\0') {
  			yyerror("invalid an upper layer protocol spec");
  			return -1;
--- 1195,1206 ----
  		if (*p == ',') {
  			*p = '\0';
  			p2 = ++p;
+ 			l++;
+ 			for (; *p != '\0' && l < spec->len; p++, l++)
+ 				;
+ 		} else {
+ 			p2 = "0";
  		}
  		if (*p != '\0' || *p2 == '\0') {
  			yyerror("invalid an upper layer protocol spec");
  			return -1;
>Release-Note:
>Audit-Trail:

From: Gavin Atkinson <gavin@FreeBSD.org>
To: bug-followup@FreeBSD.org
Cc: Dan Lukes <dan@obluda.cz>
Subject: Re: bin/71602: [PATCH] uninitialized "len" used instead of "slen"
	within usr.sbin/setkey code
Date: Mon, 11 Jun 2007 19:31:43 +0100

 The first part, the len -> slen changes were made in revision 1.8 of
 src/sbin/setkey/parse.y and are in FreeBSD 6.x.  The second part has not
 yet been patched.
>Unformatted:
