From 623534d68372646ded1503f2de5dd5dfdb0d84cd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ulrich=20Sp=C3=B6rlein?= <uqs@FreeBSD.org>
Date: Tue, 5 Jan 2016 10:25:22 +0000
Subject: [PATCH] Fix undefined behavior when using asmc_fan_getstring()

It was returning a pointer to stack-allocated memory, so make the
allocation at the caller instead.

Found by:	clang static analyzer
Coverity:	CID 1245774
Reviewed by:	ed, rpaulo
Review URL:	https://reviews.freebsd.org/D4740
---
 sys/dev/asmc/asmc.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/sys/dev/asmc/asmc.c b/sys/dev/asmc/asmc.c
index 2c8f6afbc89..9c8c89a7f6c 100644
--- a/sys/dev/asmc/asmc.c
+++ b/sys/dev/asmc/asmc.c
@@ -963,14 +963,13 @@ asmc_fan_getvalue(device_t dev, const char *key, int fan)
 }
 
 static char*
-asmc_fan_getstring(device_t dev, const char *key, int fan)
+asmc_fan_getstring(device_t dev, const char *key, int fan, uint8_t *buf, uint8_t buflen)
 {
-	uint8_t buf[16];
 	char fankey[5];
 	char* desc;
 
 	snprintf(fankey, sizeof(fankey), key, fan);
-	if (asmc_key_read(dev, fankey, buf, sizeof buf) < 0)
+	if (asmc_key_read(dev, fankey, buf, buflen) < 0)
 		return (NULL);
 	desc = buf+4;
 
@@ -1012,12 +1011,13 @@ asmc_mb_sysctl_fanspeed(SYSCTL_HANDLER_ARGS)
 static int
 asmc_mb_sysctl_fanid(SYSCTL_HANDLER_ARGS)
 {
+	uint8_t buf[16];
 	device_t dev = (device_t) arg1;
 	int fan = arg2;
 	int error = true;
 	char* desc;
 
-	desc = asmc_fan_getstring(dev, ASMC_KEY_FANID, fan);
+	desc = asmc_fan_getstring(dev, ASMC_KEY_FANID, fan, buf, sizeof(buf));
 
 	if (desc != NULL)
 		error = sysctl_handle_string(oidp, desc, 0, req);