From owner-freebsd-new-bus Mon Aug 5 5:45:14 2002 Delivered-To: freebsd-new-bus@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D834037B400 for ; Mon, 5 Aug 2002 05:45:11 -0700 (PDT) Received: from mail.speakeasy.net (mail13.speakeasy.net [216.254.0.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7BB2843E42 for ; Mon, 5 Aug 2002 05:45:11 -0700 (PDT) (envelope-from jhb@FreeBSD.org) Received: (qmail 1447 invoked from network); 5 Aug 2002 12:45:09 -0000 Received: from unknown (HELO server.baldwin.cx) ([216.27.160.63]) (envelope-sender ) by mail13.speakeasy.net (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 5 Aug 2002 12:45:09 -0000 Received: from laptop.baldwin.cx (laptop.baldwin.cx [192.168.0.4]) by server.baldwin.cx (8.12.5/8.12.5) with ESMTP id g75Cj7uR071879 for ; Mon, 5 Aug 2002 08:45:07 -0400 (EDT) (envelope-from jhb@FreeBSD.org) Message-ID: X-Mailer: XFMail 1.5.2 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Mon, 05 Aug 2002 08:45:07 -0400 (EDT) From: John Baldwin To: new-bus@FreeBSD.org Subject: buffer overflow in devclass_add_device()... Sender: owner-freebsd-new-bus@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Just in case you all didn't know this already, in the case of an unwired device (dev->unit == -1) devclass_add_device() malloc's a string assuming the unit count is 2 chars wide. If we get a unit >= 100, then we will overflow the buffer. Probably we should just malloc the nameunit buffer after we do the devclass_alloc_unit(). -- John Baldwin <>< http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-new-bus" in the body of the message