Date: Sat, 10 Aug 1996 10:20:02 -0700 (PDT) From: Bruce Evans <bde@zeta.org.au> To: freebsd-bugs Subject: Re: kern/1488: /sys/i386/isa/spkr.c does not check the length of a string Message-ID: <199608101720.KAA09335@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/1488; it has been noted by GNATS.
From: Bruce Evans <bde@zeta.org.au>
To: FreeBSD-gnats-submit@FreeBSD.org, ikuo@isl.intec.co.jp
Cc: Subject: Re: kern/1488: /sys/i386/isa/spkr.c does not check the length of a string
Date: Sun, 11 Aug 1996 03:07:51 +1000
>>Description:
>Playstring() function in /sys/i386/isa/spkr.c has two arguments,
> `cp' ... a string to play,
> `slen' ... the length of the string pointed by `cp'.
>But, codes like { cp++; slen--; } are evaluated WITHOUT checking
>the value of `slen'.
>>How-To-Repeat:
>Following code MAY cause kernel panic...
>{
> int fd = open("/dev/speaker", O_WRONLY);
> write(fd, "T120O3A8.", 9);
>}
>>Fix:
I think simply nul terminating the string would work. (uiomove() at most
DEV_BSIZE-1 bytes and add a nul.)
Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199608101720.KAA09335>