diff options
author | Brooks Davis <brooks@FreeBSD.org> | 2017-04-13 15:49:32 +0000 |
---|---|---|
committer | Brooks Davis <brooks@FreeBSD.org> | 2017-04-13 15:49:32 +0000 |
commit | 72f0a13e60eecbe42e7dc9cb8694efb36f9033d1 (patch) | |
tree | a3de1412c040d198a775d0791f0a367f0746de4f /lib/libutil/humanize_number.c | |
parent | 4e65501f13a7ab04b6f1fd693fc4c66e1e9cd41c (diff) | |
download | src-72f0a13e60eecbe42e7dc9cb8694efb36f9033d1.tar.gz src-72f0a13e60eecbe42e7dc9cb8694efb36f9033d1.zip |
Correct an out of bounds read with HN_AUTOSCALE and very large numbers.
The maximum scale is 6 (K, M, G, T, P, E) (B is 0).
Overly large explict scales were checked correctly, but for sufficently
large numbers HN_AUTOSCALE would get to 7 resulting in an out of bounds
read.
Found with humanize_number_test and CHERI bounds checking.
Reviewed by: emaste
Obtained from: CheriBSD
MFC after: 1 week
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D10376
Notes
Notes:
svn path=/head/; revision=316766
Diffstat (limited to 'lib/libutil/humanize_number.c')
-rw-r--r-- | lib/libutil/humanize_number.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/libutil/humanize_number.c b/lib/libutil/humanize_number.c index b773422475b3..675a969aaa1e 100644 --- a/lib/libutil/humanize_number.c +++ b/lib/libutil/humanize_number.c @@ -43,7 +43,7 @@ __FBSDID("$FreeBSD$"); #include <locale.h> #include <libutil.h> -static const int maxscale = 7; +static const int maxscale = 6; int humanize_number(char *buf, size_t len, int64_t quotient, @@ -64,7 +64,7 @@ humanize_number(char *buf, size_t len, int64_t quotient, return (-1); if (scale < 0) return (-1); - else if (scale >= maxscale && + else if (scale > maxscale && ((scale & ~(HN_AUTOSCALE|HN_GETSCALE)) != 0)) return (-1); if ((flags & HN_DIVISOR_1000) && (flags & HN_IEC_PREFIXES)) |