From owner-freebsd-stable@FreeBSD.ORG  Mon Mar 30 21:23:14 2009
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2040A1065675
	for <freebsd-stable@freebsd.org>; Mon, 30 Mar 2009 21:23:14 +0000 (UTC)
	(envelope-from bruce@cran.org.uk)
Received: from muon.cran.org.uk (brucec-1-pt.tunnel.tserv4.nyc4.ipv6.he.net
	[IPv6:2001:470:1f06:c09::2])
	by mx1.freebsd.org (Postfix) with ESMTP id D374A8FC16
	for <freebsd-stable@freebsd.org>; Mon, 30 Mar 2009 21:23:13 +0000 (UTC)
	(envelope-from bruce@cran.org.uk)
Received: from muon.cran.org.uk (localhost [127.0.0.1])
	by muon.cran.org.uk (Postfix) with ESMTP id 413D51924A
	for <freebsd-stable@freebsd.org>; Mon, 30 Mar 2009 22:23:17 +0000 (GMT)
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on muon
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=8.0 tests=AWL,BAYES_00,NO_RELAYS
	autolearn=ham version=3.2.5
Received: from gluon.draftnet (unknown
	[IPv6:2a01:348:10f:0:240:f4ff:fe57:9871])
	(using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits))
	(No client certificate requested)
	by muon.cran.org.uk (Postfix) with ESMTPSA
	for <freebsd-stable@freebsd.org>; Mon, 30 Mar 2009 22:23:17 +0000 (GMT)
Date: Mon, 30 Mar 2009 22:23:07 +0100
From: Bruce Cran <bruce@cran.org.uk>
To: freebsd-stable@freebsd.org
Message-ID: <20090330222307.25181df6@gluon.draftnet>
X-Mailer: Claws Mail 3.7.1 (GTK+ 2.14.7; i386-portbld-freebsd7.2)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: Off-by-one error in ngets() causing panic in loader(8)?
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Mar 2009 21:23:15 -0000

I've noticed that if I fill the input buffer at the loader prompt on
7-STABLE I get panic with a guard page failure.  From what I can see
the loader uses the ngets function in src/lib/libstand/gets.c with a
buffer of size of 256.  If I print out the value of strlen(input) in
interp.c I get 256. Shouldn't line 77 of gets.c be comparing (lp-buf)
against (n-1) instead of n?

-- 
Bruce Cran