Date: Fri, 7 Jan 2011 16:46:20 +0000 (UTC) From: Matthew D Fleming <mdf@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r217109 - head/sys/geom/part Message-ID: <201101071646.p07GkKTV058962@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mdf Date: Fri Jan 7 16:46:20 2011 New Revision: 217109 URL: http://svn.freebsd.org/changeset/base/217109 Log: Fix a memory overflow where the input length to g_gpt_utf8_to_utf16() was specified incorrectly, causing the bzero to run past the end of a malloc(9)'d object. Submitted by: Eric Youngblut < eyoungblut AT isilon DOT com > MFC after: 3 days Modified: head/sys/geom/part/g_part_gpt.c Modified: head/sys/geom/part/g_part_gpt.c ============================================================================== --- head/sys/geom/part/g_part_gpt.c Fri Jan 7 16:13:12 2011 (r217108) +++ head/sys/geom/part/g_part_gpt.c Fri Jan 7 16:46:20 2011 (r217109) @@ -425,7 +425,8 @@ g_part_gpt_add(struct g_part_table *base } if (gpp->gpp_parms & G_PART_PARM_LABEL) g_gpt_utf8_to_utf16(gpp->gpp_label, entry->ent.ent_name, - sizeof(entry->ent.ent_name)); + sizeof(entry->ent.ent_name) / + sizeof(entry->ent.ent_name[0])); return (0); } @@ -588,7 +589,8 @@ g_part_gpt_modify(struct g_part_table *b } if (gpp->gpp_parms & G_PART_PARM_LABEL) g_gpt_utf8_to_utf16(gpp->gpp_label, entry->ent.ent_name, - sizeof(entry->ent.ent_name)); + sizeof(entry->ent.ent_name) / + sizeof(entry->ent.ent_name[0])); return (0); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201101071646.p07GkKTV058962>