rxgen: Don't overflow PackageIndex
authorSimon Wilkinson <sxw@your-file-system.com>
Fri, 1 Mar 2013 11:35:05 +0000 (11:35 +0000)
committerDerrick Brashear <shadow@your-file-system.com>
Mon, 4 Mar 2013 03:02:25 +0000 (19:02 -0800)
PackageIndex++ returns the pre-index value of PackageIndex, so the
error statement isn't run when PackageIndex == MAX_PACKAGES. This
means we go on to overflow all of the arrays that are MAX_PACKAGES
in size.

Caught by coverity (#985583, #985584, #985585, #985586,
                    #985587, #985588, #985589)

Change-Id: If81f9ff89edc4cfd56677ff51cea71281ebe1e3b
Reviewed-on: http://gerrit.openafs.org/9325
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Reviewed-by: Derrick Brashear <shadow@your-file-system.com>

src/rxgen/rpc_parse.c

index b8bf6e1..9c3d133 100644 (file)
@@ -584,8 +584,11 @@ def_package(definition * defp)
     scan(TOK_IDENT, &tok);
     defp->def_name = tok.str;
     no_of_stat_funcs = 0;
-    if (PackageIndex++ >= MAX_PACKAGES)
+
+    PackageIndex++;
+    if (PackageIndex >= MAX_PACKAGES)
        error("Exceeded upper limit of package statements\n");
+
     function_list_index = 0;
     PackagePrefix[PackageIndex] = tok.str;
     if (MasterPrefix == NULL)