Date: Fri, 6 Nov 2009 10:43:52 -0500 From: John Baldwin <jhb@freebsd.org> To: Attilio Rao <attilio@freebsd.org> Cc: Warner Losh <imp@freebsd.org>, freebsd-new-bus@freebsd.org, Scott Long <scottl@freebsd.org>, Ed Maste <emaste@sandvine.com> Subject: Re: [PATCH] Buffer overflow in devclass_add_device() Message-ID: <200911061043.52738.jhb@freebsd.org> In-Reply-To: <3bbf2fe10911060720m6d6919ffw91dcc5b6c1c2016a@mail.gmail.com> References: <3bbf2fe10911060720m6d6919ffw91dcc5b6c1c2016a@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 06 November 2009 10:20:35 am Attilio Rao wrote: > A buffer overflow is possible in devclass_add_device(). > More specifically, the dev nameunit construction is based on the > assumption that the unit linked with the device is invariant but that > can change when calling devclass_alloc_unit() (because -1 is passed > or, more simply, because the unit choosen is beyond the table limits). > This results in a buffer overflow if the bug is too short on the > second snprintf(). > This patch should fix it: > http://www.freebsd.org/~attilio/Sandvine/STABLE_8/subr_bus/subr_bus.diff > > aiming for the max possible number of digits necessary. > This bug has been found by Sandvine Incorporated. > Please reivew. Looks ok to me. -- John Baldwin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200911061043.52738.jhb>