From owner-freebsd-bugs  Sat Aug 10 09:20:04 1996
Return-Path: owner-bugs
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id JAA06048
          for bugs-outgoing; Sat, 10 Aug 1996 09:20:04 -0700 (PDT)
Received: (from gnats@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id JAA06042;
          Sat, 10 Aug 1996 09:20:02 -0700 (PDT)
Resent-Date: Sat, 10 Aug 1996 09:20:02 -0700 (PDT)
Resent-Message-Id: <199608101620.JAA06042@freefall.freebsd.org>
Resent-From: gnats (GNATS Management)
Resent-To: freebsd-bugs
Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, ikuo@isl.intec.co.jp
Received: from ftp.intec.co.jp (root@is.intec.co.jp [133.230.1.34])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA05895
          for <FreeBSD-gnats-submit@freebsd.org>; Sat, 10 Aug 1996 09:15:38 -0700 (PDT)
Received: from bishop.isl.intec.co.jp by ftp.intec.co.jp (8.7.5+2.6Wbeta6/3.4W4-generic) id BAA12610; Sun, 11 Aug 1996 01:15:30 +0900 (JST)
Received: (from uucp@localhost) by bishop.isl.intec.co.jp (8.7.5/3.4W4-bishop) with UUCP id BAA28432; Sun, 11 Aug 1996 01:15:29 +0900 (JST)
Received: (from root@localhost) by pawn.isl.intec.co.jp (8.7.5/3.4W4-uucp) id AAA00789; Sun, 11 Aug 1996 00:55:22 +0900 (JST)
Message-Id: <199608101555.AAA00789@pawn.isl.intec.co.jp>
Date: Sun, 11 Aug 1996 00:55:22 +0900 (JST)
From: Ikuo Nakagawa <ikuo@isl.intec.co.jp>
Reply-To: ikuo@isl.intec.co.jp
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: kern/1488: /sys/i386/isa/spkr.c does not check the length of a string
Sender: owner-bugs@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


>Number:         1488
>Category:       kern
>Synopsis:       /sys/i386/isa/spkr.c does not check the length of a string
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Aug 10 09:20:01 PDT 1996
>Last-Modified:
>Originator:     Ikuo Nakagawa
>Organization:
INTEC Inc.
>Release:        FreeBSD 2.2-960801-SNAP i386
>Environment:
System: FreeBSD 2.2-960801-SNAP
Architecture: i386

>Description:
Playstring() function in /sys/i386/isa/spkr.c has two arguments,
  `cp'    ... a string to play,
  `slen'  ... the length of the string pointed by `cp'.
But, codes like { cp++; slen--; } are evaluated WITHOUT checking
the value of `slen'.

>How-To-Repeat:
Following code MAY cause kernel panic...
{
  int fd = open("/dev/speaker", O_WRONLY);
  write(fd, "T120O3A8.", 9);
}

>Fix:
*** spkr.c.orig	Sat Aug 10 23:07:28 1996
--- spkr.c	Sat Aug 10 23:07:28 1996
***************
*** 281,287 ****
  {
      int		pitch, oldfill, lastpitch = OCTAVE_NOTES * DFLT_OCTAVE;
  
! #define GETNUM(cp, v)	for(v=0; isdigit(cp[1]) && slen > 0; ) \
  				{v = v * 10 + (*++cp - '0'); slen--;}
      for (; slen--; cp++)
      {
--- 281,287 ----
  {
      int		pitch, oldfill, lastpitch = OCTAVE_NOTES * DFLT_OCTAVE;
  
! #define GETNUM(cp, v)	for(v=0; slen && isdigit(cp[1]); ) \
  				{v = v * 10 + (*++cp - '0'); slen--;}
      for (; slen--; cp++)
      {
***************
*** 300,312 ****
  	    pitch = notetab[c - 'A'] + octave * OCTAVE_NOTES;
  
  	    /* this may be followed by an accidental sign */
! 	    if (cp[1] == '#' || cp[1] == '+')
  	    {
  		++pitch;
  		++cp;
  		slen--;
  	    }
! 	    else if (cp[1] == '-')
  	    {
  		--pitch;
  		++cp;
--- 300,312 ----
  	    pitch = notetab[c - 'A'] + octave * OCTAVE_NOTES;
  
  	    /* this may be followed by an accidental sign */
! 	    if (slen && (cp[1] == '#' || cp[1] == '+'))
  	    {
  		++pitch;
  		++cp;
  		slen--;
  	    }
! 	    else if (slen && cp[1] == '-')
  	    {
  		--pitch;
  		++cp;
***************
*** 341,347 ****
  		timeval = value;
  
  	    /* ...and/or sustain dots */
! 	    for (sustain = 0; cp[1] == '.'; cp++)
  	    {
  		slen--;
  		sustain++;
--- 341,347 ----
  		timeval = value;
  
  	    /* ...and/or sustain dots */
! 	    for (sustain = 0; slen && cp[1] == '.'; cp++)
  	    {
  		slen--;
  		sustain++;
***************
*** 349,355 ****
  
  	    /* ...and/or a slur mark */
  	    oldfill = fill;
! 	    if (cp[1] == '_')
  	    {
  		fill = LEGATO;
  		++cp;
--- 349,355 ----
  
  	    /* ...and/or a slur mark */
  	    oldfill = fill;
! 	    if (slen && cp[1] == '_')
  	    {
  		fill = LEGATO;
  		++cp;
***************
*** 363,375 ****
  	    break;
  
  	case 'O':
! 	    if (cp[1] == 'N' || cp[1] == 'n')
  	    {
  		octprefix = octtrack = FALSE;
  		++cp;
  		slen--;
  	    }
! 	    else if (cp[1] == 'L' || cp[1] == 'l')
  	    {
  		octtrack = TRUE;
  		++cp;
--- 363,375 ----
  	    break;
  
  	case 'O':
! 	    if (slen && (cp[1] == 'N' || cp[1] == 'n'))
  	    {
  		octprefix = octtrack = FALSE;
  		++cp;
  		slen--;
  	    }
! 	    else if (slen && (cp[1] == 'L' || cp[1] == 'l'))
  	    {
  		octtrack = TRUE;
  		++cp;
***************
*** 398,410 ****
  
  	case 'N':
  	    GETNUM(cp, pitch);
! 	    for (sustain = 0; cp[1] == '.'; cp++)
  	    {
  		slen--;
  		sustain++;
  	    }
  	    oldfill = fill;
! 	    if (cp[1] == '_')
  	    {
  		fill = LEGATO;
  		++cp;
--- 398,410 ----
  
  	case 'N':
  	    GETNUM(cp, pitch);
! 	    for (sustain = 0; slen && cp[1] == '.'; cp++)
  	    {
  		slen--;
  		sustain++;
  	    }
  	    oldfill = fill;
! 	    if (slen && cp[1] == '_')
  	    {
  		fill = LEGATO;
  		++cp;
***************
*** 426,432 ****
  	    GETNUM(cp, timeval);
  	    if (timeval <= 0 || timeval > MIN_VALUE)
  		timeval = value;
! 	    for (sustain = 0; cp[1] == '.'; cp++)
  	    {
  		slen--;
  		sustain++;
--- 426,432 ----
  	    GETNUM(cp, timeval);
  	    if (timeval <= 0 || timeval > MIN_VALUE)
  		timeval = value;
! 	    for (sustain = 0; slen && cp[1] == '.'; cp++)
  	    {
  		slen--;
  		sustain++;
***************
*** 442,460 ****
  	    break;
  
  	case 'M':
! 	    if (cp[1] == 'N' || cp[1] == 'n')
  	    {
  		fill = NORMAL;
  		++cp;
  		slen--;
  	    }
! 	    else if (cp[1] == 'L' || cp[1] == 'l')
  	    {
  		fill = LEGATO;
  		++cp;
  		slen--;
  	    }
! 	    else if (cp[1] == 'S' || cp[1] == 's')
  	    {
  		fill = STACCATO;
  		++cp;
--- 442,460 ----
  	    break;
  
  	case 'M':
! 	    if (slen && (cp[1] == 'N' || cp[1] == 'n'))
  	    {
  		fill = NORMAL;
  		++cp;
  		slen--;
  	    }
! 	    else if (slen && (cp[1] == 'L' || cp[1] == 'l'))
  	    {
  		fill = LEGATO;
  		++cp;
  		slen--;
  	    }
! 	    else if (slen && (cp[1] == 'S' || cp[1] == 's'))
  	    {
  		fill = STACCATO;
  		++cp;

>Audit-Trail:
>Unformatted: