Date: Tue, 11 Jun 2019 07:48:37 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 238486] Possible buffer overflow bug in sc_allocate_keyboard() of sys/dev/syscons/syscons.c Message-ID: <bug-238486-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238486 Bug ID: 238486 Summary: Possible buffer overflow bug in sc_allocate_keyboard() of sys/dev/syscons/syscons.c Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: yangx92@hotmail.com Created attachment 204976 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=204976&action=edit Proposed patch There is a possible buffer overflow bug in sc_allocate_keyboard() of sys/dev/syscons/syscons.c. k0 = kbd_get_keyboard(idx0); for (idx = kbd_find_keyboard2("*", -1, 0); idx != -1; idx = kbd_find_keyboard2("*", -1, idx + 1)) { k = kbd_get_keyboard(idx); if (idx == idx0 || KBD_IS_BUSY(k)) continue; bzero(&ki, sizeof(ki)); strcpy(ki.kb_name, k->kb_name); ki.kb_unit = k->kb_unit; (void)kbdd_ioctl(k0, KBADDKBD, (caddr_t) &ki); } We should use strncpy to copy into a fixed-size buffer instead of strcpy(). The attachment is the proposed patch. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-238486-227>