OpenSolaris

Printable Version Enter a New Search
Bug ID 6788327
Synopsis Array overrun in rmformat
State 10-Fix Delivered (Fix available in build)
Category:Subcategory utility:rmformat
Keywords parfait | rtiq_reviewed | triaged
Responsible Engineer Pavel Potoplyak
Reported Against
Duplicate Of
Introduced In solaris_9
Commit to Fix snv_113
Fixed In snv_113
Release Fixed solaris_nevada(snv_113)
Related Bugs
Submit Date 23-December-2008
Last Update Date 1-June-2009
Description 
usr/src/cmd/rmformat/rmf_slice.c

0653:		vt->v_part[index].p_start = val1;
0654:		vt->v_part[index].p_size = val2;
0655:		if (vtoc_tag != 0xFFFF) {
0656:			vt->v_part[index].p_tag = vtoc_tag;
0657:			vtoc_tag = 0xFFFF;
0658:		}
0659:		if (vtoc_flag != 0xFFFF) {
0660:			vt->v_part[index].p_flag = vtoc_flag;
0661:			vtoc_flag = 0xFFFF;
0662:		}

index has an off-by-one guard on line 467 that allows index to range from
0..NDKMAP (16) inclusive, allowing writes past the end of v_part.

This bug was found using the Parfait source code analysis tool. 
See http://research.sun.com/projects/parfait
Work Around 
N/A
Comments 
N/A