afsmonitor: Fix multiple NUM_FS_STAT_ENTRIES overflows

If an array is n elements long, accessing element array[n] is an
overflow. Fix various places where we apply loop bounds incorrectly
using the NUM_FS_STAT_ENTRIES constant.

Caught by coverity (#985570, #985571, #985572)

Reviewed-on: http://gerrit.openafs.org/9315
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
(cherry picked from commit 4ea1c8440aad6bb6dc9cdb598b5708c685603219)

Change-Id: I028fcb13716ba60266635a1f04f2dda083cba1a3
Reviewed-on: http://gerrit.openafs.org/11028
Reviewed-by: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>

diff --git a/src/afsmonitor/afsmonitor.c b/src/afsmonitor/afsmonitor.c
index 1fb2f8a88f3f0baf8a0064efda387456ce7fa66d..11c68e21c1387e8b5c915f2e12ff4de07e73c0cd 100644 (file)
--- a/src/afsmonitor/afsmonitor.c
+++ b/src/afsmonitor/afsmonitor.c
@@ -1186,8 +1186,8 @@ parse_showEntry(char *a_line)
 
        if (strcasestr(arg2, "_group") != (char *)NULL) {
 
-           if (fromIdx < 0 || toIdx < 0 || fromIdx > NUM_FS_STAT_ENTRIES
-               || toIdx > NUM_FS_STAT_ENTRIES)
+           if (fromIdx < 0 || toIdx < 0 || fromIdx >= NUM_FS_STAT_ENTRIES
+               || toIdx >= NUM_FS_STAT_ENTRIES)
                return (-2);
            for (j = fromIdx; j <= toIdx; j++) {
                if (!fs_showFlags[j]) {
@@ -1195,7 +1195,7 @@ parse_showEntry(char *a_line)
                    fs_DisplayItems_count++;
                    fs_showFlags[j] = 1;
                }
-               if (fs_DisplayItems_count > NUM_FS_STAT_ENTRIES) {
+               if (fs_DisplayItems_count >= NUM_FS_STAT_ENTRIES) {
                    fprintf(stderr, "[ %s ] fs_DisplayItems_count ovf\n", rn);
                    return (-3);
                }
@@ -1214,8 +1214,8 @@ parse_showEntry(char *a_line)
 
                if (strcasestr(catName, "_group") != NULL) {
                    if (fromIdx < 0 || toIdx < 0
-                       || fromIdx > NUM_FS_STAT_ENTRIES
-                       || toIdx > NUM_FS_STAT_ENTRIES)
+                       || fromIdx >= NUM_FS_STAT_ENTRIES
+                       || toIdx >= NUM_FS_STAT_ENTRIES)
                        return (-4);
                    for (j = fromIdx; j <= toIdx; j++) {
                        if (!fs_showFlags[j]) {
@@ -1223,7 +1223,7 @@ parse_showEntry(char *a_line)
                            fs_DisplayItems_count++;
                            fs_showFlags[j] = 1;
                        }
-                       if (fs_DisplayItems_count > NUM_FS_STAT_ENTRIES) {
+                       if (fs_DisplayItems_count >= NUM_FS_STAT_ENTRIES) {
                            fprintf(stderr,
                                    "[ %s ] fs_DisplayItems_count ovf\n", rn);
                            return (-5);