From 08e69010f5c599471e779fac59066fb3cdbb5012 Mon Sep 17 00:00:00 2001 From: jsg Date: Sat, 3 Feb 2024 00:28:07 +0000 Subject: [PATCH] fix vmd vioblk fd closing bounds test found by "buffer overflow 'vioblk->disk_fd' 4 <= 15" smatch error ok dv@ --- usr.sbin/vmd/vioblk.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/usr.sbin/vmd/vioblk.c b/usr.sbin/vmd/vioblk.c index 4dbd7f129ad..427fdea43c1 100644 --- a/usr.sbin/vmd/vioblk.c +++ b/usr.sbin/vmd/vioblk.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vioblk.c,v 1.9 2023/09/26 01:53:54 dv Exp $ */ +/* $OpenBSD: vioblk.c,v 1.10 2024/02/03 00:28:07 jsg Exp $ */ /* * Copyright (c) 2023 Dave Voutila @@ -67,7 +67,7 @@ __dead void vioblk_main(int fd, int fd_vmm) { struct virtio_dev dev; - struct vioblk_dev *vioblk; + struct vioblk_dev *vioblk = NULL; struct viodev_msg msg; struct vmd_vm vm; struct vm_create_params *vcp; @@ -210,7 +210,7 @@ vioblk_main(int fd, int fd_vmm) /* Clean shutdown. */ close_fd(dev.sync_fd); close_fd(dev.async_fd); - for (i = 0; i < (int)sizeof(vioblk->disk_fd); i++) + for (i = 0; i < vioblk->ndisk_fd; i++) close_fd(vioblk->disk_fd[i]); _exit(0); /* NOTREACHED */ @@ -227,8 +227,10 @@ fail: close_fd(dev.sync_fd); close_fd(dev.async_fd); - for (i = 0; i < (int)sizeof(vioblk->disk_fd); i++) - close_fd(vioblk->disk_fd[i]); + if (vioblk != NULL) { + for (i = 0; i < vioblk->ndisk_fd; i++) + close_fd(vioblk->disk_fd[i]); + } _exit(ret); /* NOTREACHED */ } -- 2.20.1