From owner-freebsd-bugs Sat Aug 10 10:20:04 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA09367 for bugs-outgoing; Sat, 10 Aug 1996 10:20:04 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA09335; Sat, 10 Aug 1996 10:20:02 -0700 (PDT) Date: Sat, 10 Aug 1996 10:20:02 -0700 (PDT) Message-Id: <199608101720.KAA09335@freefall.freebsd.org> To: freebsd-bugs Cc: From: Bruce Evans Subject: Re: kern/1488: /sys/i386/isa/spkr.c does not check the length of a string Reply-To: Bruce Evans Sender: owner-bugs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk The following reply was made to PR kern/1488; it has been noted by GNATS. From: Bruce Evans To: FreeBSD-gnats-submit@FreeBSD.org, ikuo@isl.intec.co.jp Cc: Subject: Re: kern/1488: /sys/i386/isa/spkr.c does not check the length of a string Date: Sun, 11 Aug 1996 03:07:51 +1000 >>Description: >Playstring() function in /sys/i386/isa/spkr.c has two arguments, > `cp' ... a string to play, > `slen' ... the length of the string pointed by `cp'. >But, codes like { cp++; slen--; } are evaluated WITHOUT checking >the value of `slen'. >>How-To-Repeat: >Following code MAY cause kernel panic... >{ > int fd = open("/dev/speaker", O_WRONLY); > write(fd, "T120O3A8.", 9); >} >>Fix: I think simply nul terminating the string would work. (uiomove() at most DEV_BSIZE-1 bytes and add a nul.) Bruce