OpenSolaris

Printable Version Enter a New Search
Bug ID 6796549
Synopsis Array overrun in vscand
State 10-Fix Delivered (Fix available in build)
Category:Subcategory utility:vscan
Keywords parfait
Responsible Engineer Joyce Mcintosh
Reported Against
Duplicate Of
Introduced In solaris_nevada
Commit to Fix snv_109
Fixed In snv_109
Release Fixed solaris_nevada(snv_109)
Related Bugs 6623189
Submit Date 22-January-2009
Last Update Date 25-February-2009
Description 
usr/src/cmd/vscan/vscand/vs_icap.c

1227:		hlen = snprintf(head, sizeof (head), "%x\r\n", nread);
1228:		hdr += (VS_HDR_SZ - hlen);
1229:		(void) memcpy(hdr, head, hlen);
1230:		tail = hdr + (hlen + nread);
1231:		tail[0] = '\r';
1232:		tail[1] = '\n';

hdr is a pointer into vsi_send_hdr in the structure:
typedef struct vs_info {
	char vsi_send_hdr[VS_HDR_SZ];
	char vsi_send_buf[VS_BUF_SZ + VS_TAIL_SZ];
	char vsi_recv_buf[VS_BUF_SZ];
	...
} vs_info_t;
The pointer "tail" (calculated from "hdr") ends up pointing into the following array. This may be intentional, although the correct offset into the following array could be calculated directly.

This bug was found using the Parfait source code analysis tool. 
See http://research.sun.com/projects/parfait
Work Around 
N/A
Comments 
Yes, it is intentional that the tail points into the next array.
The message is made up of header, data and tail. These are split into two arrays:
vsi_send_hdr and vsi_send_buf where the header is in the former and the data and 
tail are in the latter.

The code could be better written such that the tail pointer is calculated relative to 
the start of the vsi_send_buf array.