Date: Thu, 9 Oct 2014 01:54:33 +0000 (UTC) From: Marcel Moolenaar <marcel@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r272785 - head/sys/boot/i386/gptboot Message-ID: <201410090154.s991sXmN051445@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: marcel Date: Thu Oct 9 01:54:32 2014 New Revision: 272785 URL: https://svnweb.freebsd.org/changeset/base/272785 Log: Properly NUL-terminate the on-stack buffer for reading /boot.config or /boot/config. In qemu, on a warm boot, the stack is not all zeroes and we parse beyond the file's contents. Obtained from: Juniper Networks, Inc. Modified: head/sys/boot/i386/gptboot/gptboot.c Modified: head/sys/boot/i386/gptboot/gptboot.c ============================================================================== --- head/sys/boot/i386/gptboot/gptboot.c Thu Oct 9 01:53:23 2014 (r272784) +++ head/sys/boot/i386/gptboot/gptboot.c Thu Oct 9 01:54:32 2014 (r272785) @@ -136,6 +136,7 @@ int main(void) { char cmd[512], cmdtmp[512]; + ssize_t sz; int autoboot, dskupdated; ufs_ino_t ino; @@ -164,9 +165,10 @@ main(void) for (;;) { *kname = '\0'; if ((ino = lookup(PATH_CONFIG)) || - (ino = lookup(PATH_DOTCONFIG))) - fsread(ino, cmd, sizeof(cmd)); - + (ino = lookup(PATH_DOTCONFIG))) { + sz = fsread(ino, cmd, sizeof(cmd) - 1); + cmd[(sz < 0) ? 0 : sz] = '\0'; + } if (*cmd != '\0') { memcpy(cmdtmp, cmd, sizeof(cmdtmp)); if (parse(cmdtmp, &dskupdated))
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201410090154.s991sXmN051445>