From e7e9ed12e28c345b730aae97b62991a1b640fc7c Mon Sep 17 00:00:00 2001
From: Hans Rosenfeld <hans.rosenfeld@joyent.com>
Date: Thu, 20 Jul 2017 17:15:19 +0200
Subject: [PATCH] 8481 nvmeadm: nvme_dskname() string handling is buggy
 Reviewed by: Patrick Mooney <patrick.mooney@joyent.com> Reviewed by: Jerry
 Jelinek <jerry.jelinek@joyent.com> Reviewed by: Yuri Pankov <yuripv@gmx.com>
 Reviewed by: Toomas Soome <tsoome@me.com> Approved by: Dan McDonald
 <danmcd@joyent.com>

---
 usr/src/cmd/nvmeadm/nvmeadm.c | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/usr/src/cmd/nvmeadm/nvmeadm.c b/usr/src/cmd/nvmeadm/nvmeadm.c
index de1d3e0171..00931bf77e 100644
--- a/usr/src/cmd/nvmeadm/nvmeadm.c
+++ b/usr/src/cmd/nvmeadm/nvmeadm.c
@@ -432,21 +432,29 @@ nvme_dskname(const nvme_process_arg_t *npa)
 		path = di_dim_path_dev(dim, di_driver_name(child),
 		    di_instance(child), "c");
 
-		if (path != NULL) {
-			path[strlen(path) - 2] = '\0';
-			path = strrchr(path, '/') + 1;
-			if (path != NULL) {
-				path = strdup(path);
-				if (path == NULL)
-					err(-1, "nvme_dskname");
-			}
-		}
+		/*
+		 * Error out if we didn't get a path, or if it's too short for
+		 * the following operations to be safe.
+		 */
+		if (path == NULL || strlen(path) < 2)
+			goto fail;
+
+		/* Chop off 's0' and get everything past the last '/' */
+		path[strlen(path) - 2] = '\0';
+		path = strrchr(path, '/');
+		if (path == NULL)
+			goto fail;
+		path++;
 
 		break;
 	}
 
 	di_dim_fini(dim);
+
 	return (path);
+
+fail:
+	err(-1, "nvme_dskname");
 }
 
 static int
-- 
2.11.4.GIT