From owner-freebsd-new-bus@FreeBSD.ORG Fri Nov 6 16:45:30 2009 Return-Path: Delivered-To: freebsd-new-bus@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7A141106566B; Fri, 6 Nov 2009 16:45:30 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 4A98B8FC15; Fri, 6 Nov 2009 16:45:30 +0000 (UTC) Received: from bigwig.baldwin.cx (66.111.2.69.static.nyinternet.net [66.111.2.69]) by cyrus.watson.org (Postfix) with ESMTPSA id EA01B46B2D; Fri, 6 Nov 2009 11:45:29 -0500 (EST) Received: from jhbbsd.hudson-trading.com (unknown [209.249.190.8]) by bigwig.baldwin.cx (Postfix) with ESMTPA id 0FF238A01D; Fri, 6 Nov 2009 11:45:29 -0500 (EST) From: John Baldwin To: "M. Warner Losh" Date: Fri, 6 Nov 2009 11:45:18 -0500 User-Agent: KMail/1.9.7 References: <3bbf2fe10911060720m6d6919ffw91dcc5b6c1c2016a@mail.gmail.com> <20091106.091543.2076840904.imp@bsdimp.com> In-Reply-To: <20091106.091543.2076840904.imp@bsdimp.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200911061145.19212.jhb@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1 (bigwig.baldwin.cx); Fri, 06 Nov 2009 11:45:29 -0500 (EST) X-Virus-Scanned: clamav-milter 0.95.1 at bigwig.baldwin.cx X-Virus-Status: Clean X-Spam-Status: No, score=-2.5 required=4.2 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on bigwig.baldwin.cx Cc: attilio@freebsd.org, freebsd-new-bus@freebsd.org, scottl@freebsd.org, emaste@sandvine.com Subject: Re: [PATCH] Buffer overflow in devclass_add_device() X-BeenThere: freebsd-new-bus@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: FreeBSD's new-bus architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Nov 2009 16:45:30 -0000 On Friday 06 November 2009 11:15:43 am M. Warner Losh wrote: > In message: <3bbf2fe10911060720m6d6919ffw91dcc5b6c1c2016a@mail.gmail.com> > Attilio Rao writes: > : A buffer overflow is possible in devclass_add_device(). > : More specifically, the dev nameunit construction is based on the > : assumption that the unit linked with the device is invariant but that > : can change when calling devclass_alloc_unit() (because -1 is passed > : or, more simply, because the unit choosen is beyond the table limits). > : This results in a buffer overflow if the bug is too short on the > : second snprintf(). > : This patch should fix it: > : http://www.freebsd.org/~attilio/Sandvine/STABLE_8/subr_bus/subr_bus.diff > : > : aiming for the max possible number of digits necessary. > : This bug has been found by Sandvine Incorporated. > : Please reivew. > > I don't see a problem with it, except you'd want -INT_MAX to be > paranoid, since it is one character longer (or just add 1) :) > > However, it might be better to just allocate strlen(dc->name) + > log10(INT_MAX) + 2 and not have snprintf do that calculation. But it > doesn't look like there's a compile-time constant for that... In this case I think the snprintf() is fine as code-wise I think it is simpler (it matches up well with the later snprintf() to fill out the buffer). Given that adding devices isn't generally a critical-path, I think the clarity is worth the probably quite small additional cost of snprintf(). -- John Baldwin