CID/1203192, CID/1203193: Out of bounds read

2014-04-17 16:04:47 +00:00 · 2014-04-17 16:04:47 +00:00 · eb84199eb9
commit eb84199eb9
parent 41b25bacda
1 changed files with 18 additions and 21 deletions
--- a/sys/dev/ic/aic79xx.c
+++ b/sys/dev/ic/aic79xx.c
@ -1,4 +1,4 @@
-/*	$NetBSD: aic79xx.c,v 1.47 2014/03/27 18:28:26 christos Exp $	*/
+/*	$NetBSD: aic79xx.c,v 1.48 2014/04/17 16:04:47 christos Exp $	*/

 /*
 * Core routines and tables shareable across OS platforms.
@ -49,7 +49,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: aic79xx.c,v 1.47 2014/03/27 18:28:26 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: aic79xx.c,v 1.48 2014/04/17 16:04:47 christos Exp $");

 #include <dev/ic/aic79xx_osm.h>
 #include <dev/ic/aic79xx_inline.h>
@ -8605,13 +8605,11 @@ ahd_print_register(ahd_reg_parse_entry_t *table, u_int num_entries,
 		*cur_column = 0;
 	}
 	printed = snprintf(line, sizeof(line), "%s[0x%x]", name, value);
-	if (printed > sizeof(line))
 		printed = sizeof(line);
 	if (table == NULL) {
-		printed += snprintf(&line[printed], (sizeof line) - printed,
-		    " ");
-		if (printed > sizeof(line))
-			printed = sizeof(line);
+		if (printed < sizeof(line))
+		    printed += snprintf(&line[printed],
+			(sizeof line) - printed,
 		printf("%s", line);
 		if (cur_column != NULL)
 			*cur_column += printed;
@ -8627,12 +8625,11 @@ ahd_print_register(ahd_reg_parse_entry_t *table, u_int num_entries,
 			 || ((printed_mask & table[entry].mask)
 			  == table[entry].mask))
 				continue;
-			if (printed > sizeof(line))
-				printed = sizeof(line);
-			printed += snprintf(&line[printed],
-			    (sizeof line) - printed, "%s%s",
-				printed_mask == 0 ? ":(" : "|",
-				table[entry].name);
+			if (printed < sizeof(line))
+			    printed += snprintf(&line[printed],
+				(sizeof line) - printed, "%s%s",
+				    printed_mask == 0 ? ":(" : "|",
+				    table[entry].name);
 			printed_mask |= table[entry].mask;

 			break;
@ -8640,14 +8637,14 @@ ahd_print_register(ahd_reg_parse_entry_t *table, u_int num_entries,
 		if (entry >= num_entries)
 			break;
 	}
-	if (printed > sizeof(line))
-		printed = sizeof(line);
-	if (printed_mask != 0)
-		printed += snprintf(&line[printed],
-		    (sizeof line) - printed, ") ");
-	else
-		printed += snprintf(&line[printed],
-		    (sizeof line) - printed, " ");
+	if (printed < sizeof(line)) {
+		if (printed_mask != 0)
+			printed += snprintf(&line[printed],
+			    (sizeof line) - printed, ") ");
+		else
+			printed += snprintf(&line[printed],
+			    (sizeof line) - printed, " ");
+	}
 	if (cur_column != NULL)
 		*cur_column += printed;
 	printf("%s", line);