diff options
| author | Brooks Davis <brooks@FreeBSD.org> | 2020-07-22 21:44:51 +0000 |
|---|---|---|
| committer | Brooks Davis <brooks@FreeBSD.org> | 2020-07-22 21:44:51 +0000 |
| commit | d90b364147877f0fff25e98ec76d5042bd283c21 (patch) | |
| tree | 6736bdd65eca6d458b44d2781522dfa4ca938ba6 /usr.sbin/mountd | |
| parent | ce53f590ca015b38ba58c35f023ae76360082fa6 (diff) | |
Avoid reading one byte before the path buffer.
This happens when there's only one component (e.g. "/foo"). This
(mostly-harmless) bug has been present since June 1990 when it was
commited to mountd.c SCCS version 5.9.
Note: the bug is on the second changed line, the first line is changed
for visual consistency.
Reviewed by: cem, emaste, mckusick, rmacklem
Found with: CHERI
Obtained from: CheriBSD
MFC after: 1 week
Sponsored by: DARPA
Differential Revision: https://reviews.freebsd.org/D25759
Notes
Notes:
svn path=/head/; revision=363435
Diffstat (limited to 'usr.sbin/mountd')
| -rw-r--r-- | usr.sbin/mountd/mountd.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/usr.sbin/mountd/mountd.c b/usr.sbin/mountd/mountd.c index ce059ca81f4e..00e554802f55 100644 --- a/usr.sbin/mountd/mountd.c +++ b/usr.sbin/mountd/mountd.c @@ -3155,9 +3155,9 @@ do_mount(struct exportlist *ep, struct grouplist *grp, uint64_t exflags, goto error_exit; } /* back up over the last component */ - while (*cp == '/' && cp > dirp) + while (cp > dirp && *cp == '/') cp--; - while (*(cp - 1) != '/' && cp > dirp) + while (cp > dirp && *(cp - 1) != '/') cp--; if (cp == dirp) { if (debug) |