From: Simon Wilkinson <sxw@your-file-system.com>
Date: Thu, 28 Feb 2013 17:14:20 +0000 (+0000)
Subject: afsmonitor: Fix multiple NUM_CM_STAT_ENTRIES overflows
X-Git-Tag: upstream/1.8.0_pre1^2~1378
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=3beca62928665868294ec3e9d34ab63b41e12645;p=packages%2Fo%2Fopenafs.git

afsmonitor: Fix multiple NUM_CM_STAT_ENTRIES overflows

If an array is n elements long, accessing element array[n] is an
overflow. Fix various places where we apply loop bounds incorrectly
using the NUM_CM_STAT_ENTRIES constant.

Caught by coverity (#985571, #985573)

Change-Id: I24a53e8044d3d5d39d070909400329a82f22b6b9
Reviewed-on: http://gerrit.openafs.org/9316
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
---

diff --git a/src/afsmonitor/afsmonitor.c b/src/afsmonitor/afsmonitor.c
index 722d03b41..aec815bd6 100644
--- a/src/afsmonitor/afsmonitor.c
+++ b/src/afsmonitor/afsmonitor.c
@@ -1299,8 +1299,8 @@ parse_showEntry(char *a_line)
 
 	if (strcasestr(arg2, "_group") != NULL) {
 
-	    if (fromIdx < 0 || toIdx < 0 || fromIdx > NUM_CM_STAT_ENTRIES
-		|| toIdx > NUM_CM_STAT_ENTRIES)
+	    if (fromIdx < 0 || toIdx < 0 || fromIdx >= NUM_CM_STAT_ENTRIES
+		|| toIdx >= NUM_CM_STAT_ENTRIES)
 		return (-10);
 	    for (j = fromIdx; j <= toIdx; j++) {
 		if (!cm_showFlags[j]) {
@@ -1308,7 +1308,7 @@ parse_showEntry(char *a_line)
 		    cm_DisplayItems_count++;
 		    cm_showFlags[j] = 1;
 		}
-		if (cm_DisplayItems_count > NUM_CM_STAT_ENTRIES) {
+		if (cm_DisplayItems_count >= NUM_CM_STAT_ENTRIES) {
 		    fprintf(stderr, "[ %s ] cm_DisplayItems_count ovf\n", rn);
 		    return (-11);
 		}
@@ -1327,8 +1327,8 @@ parse_showEntry(char *a_line)
 
 		if (strcasestr(catName, "_group") != NULL) {
 		    if (fromIdx < 0 || toIdx < 0
-			|| fromIdx > NUM_CM_STAT_ENTRIES
-			|| toIdx > NUM_CM_STAT_ENTRIES)
+			|| fromIdx >= NUM_CM_STAT_ENTRIES
+			|| toIdx >= NUM_CM_STAT_ENTRIES)
 			return (-12);
 		    for (j = fromIdx; j <= toIdx; j++) {
 			if (!cm_showFlags[j]) {
@@ -1336,7 +1336,7 @@ parse_showEntry(char *a_line)
 			    cm_DisplayItems_count++;
 			    cm_showFlags[j] = 1;
 			}
-			if (cm_DisplayItems_count > NUM_CM_STAT_ENTRIES) {
+			if (cm_DisplayItems_count >= NUM_CM_STAT_ENTRIES) {
 			    fprintf(stderr,
 				    "[ %s ] cm_DisplayItems_count ovf\n", rn);
 			    return (-13);