OpenSolaris

Printable Version Enter a New Search
Bug ID 6764864
Synopsis Array overrun in libraidcfg
State 10-Fix Delivered (Fix available in build)
Category:Subcategory utility:raidctl
Keywords parfait | rtiq_reviewed | triaged
Responsible Engineer Milan Jurik
Reported Against
Duplicate Of
Introduced In solaris_nevada
Commit to Fix snv_110
Fixed In snv_110
Release Fixed solaris_nevada(snv_110)
Related Bugs 6508590
Submit Date 29-October-2008
Last Update Date 11-March-2009
Description 
usr/src/lib/libraidcfg/common/raidcfg.c

1707:	if (type < OBJ_TYPE_SYSTEM || type > OBJ_TYPE_ALL)
1708:		return (ERR_DEVICE_INVALID);
1709:
1710:	for (obj_type_cnt = OBJ_SYSTEM; obj_type_cnt < OBJ_TYPE_ALL;
1711:	    ++obj_type_cnt) {
1712:		if (raid_obj_op_sys[type].compnum != NULL)
1713:			comp_num = raid_obj_op_sys[type].compnum(
1714:                       raid_tab, obj_id, obj_type_cnt);
1715:		else
1716:			comp_num = 0;

The variable  type is allowed to equal OBJ_TYPE_ALL in line 1707, which is not actually a valid type - the maximum valid type is OBJ_TYPE_TASK.

This bug was found using the Parfait source code analysis tool. 
See http://research.sun.com/projects/parfait
Work Around 
N/A
Comments 
N/A