From owner-freebsd-new-bus@FreeBSD.ORG  Fri Nov  6 15:51:04 2009
Return-Path: <owner-freebsd-new-bus@FreeBSD.ORG>
Delivered-To: freebsd-new-bus@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9C7211065672;
	Fri,  6 Nov 2009 15:51:04 +0000 (UTC) (envelope-from jhb@freebsd.org)
Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42])
	by mx1.freebsd.org (Postfix) with ESMTP id 6CA5E8FC1D;
	Fri,  6 Nov 2009 15:51:04 +0000 (UTC)
Received: from bigwig.baldwin.cx (66.111.2.69.static.nyinternet.net
	[66.111.2.69])
	by cyrus.watson.org (Postfix) with ESMTPSA id 064A546B1A;
	Fri,  6 Nov 2009 10:51:04 -0500 (EST)
Received: from jhbbsd.hudson-trading.com (unknown [209.249.190.8])
	by bigwig.baldwin.cx (Postfix) with ESMTPA id 2F36E8A01D;
	Fri,  6 Nov 2009 10:51:03 -0500 (EST)
From: John Baldwin <jhb@freebsd.org>
To: Attilio Rao <attilio@freebsd.org>
Date: Fri, 6 Nov 2009 10:43:52 -0500
User-Agent: KMail/1.9.7
References: <3bbf2fe10911060720m6d6919ffw91dcc5b6c1c2016a@mail.gmail.com>
In-Reply-To: <3bbf2fe10911060720m6d6919ffw91dcc5b6c1c2016a@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200911061043.52738.jhb@freebsd.org>
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1
	(bigwig.baldwin.cx); Fri, 06 Nov 2009 10:51:03 -0500 (EST)
X-Virus-Scanned: clamav-milter 0.95.1 at bigwig.baldwin.cx
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.5 required=4.2 tests=AWL,BAYES_00,RDNS_NONE
	autolearn=no version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on bigwig.baldwin.cx
Cc: Warner Losh <imp@freebsd.org>, freebsd-new-bus@freebsd.org,
	Scott Long <scottl@freebsd.org>, Ed Maste <emaste@sandvine.com>
Subject: Re: [PATCH] Buffer overflow in devclass_add_device()
X-BeenThere: freebsd-new-bus@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: FreeBSD's new-bus architecture <freebsd-new-bus.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-new-bus>, 
	<mailto:freebsd-new-bus-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-new-bus>
List-Post: <mailto:freebsd-new-bus@freebsd.org>
List-Help: <mailto:freebsd-new-bus-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-new-bus>,
	<mailto:freebsd-new-bus-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Nov 2009 15:51:04 -0000

On Friday 06 November 2009 10:20:35 am Attilio Rao wrote:
> A buffer overflow is possible in devclass_add_device().
> More specifically, the dev nameunit construction is based on the
> assumption that the unit linked with the device is invariant but that
> can change when calling devclass_alloc_unit() (because -1 is passed
> or, more simply, because the unit choosen is beyond the table limits).
> This results in a buffer overflow if the bug is too short on the
> second snprintf().
> This patch should fix it:
> http://www.freebsd.org/~attilio/Sandvine/STABLE_8/subr_bus/subr_bus.diff
> 
> aiming for the max possible number of digits necessary.
> This bug has been found by Sandvine Incorporated.
> Please reivew.

Looks ok to me.

-- 
John Baldwin