From owner-freebsd-stable@FreeBSD.ORG  Tue Mar 31 08:33:34 2009
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B639B1065676
	for <freebsd-stable@freebsd.org>; Tue, 31 Mar 2009 08:33:34 +0000 (UTC)
	(envelope-from dimitry@andric.com)
Received: from tensor.andric.com (cl-327.ede-01.nl.sixxs.net
	[IPv6:2001:7b8:2ff:146::2])
	by mx1.freebsd.org (Postfix) with ESMTP id 79B048FC25
	for <freebsd-stable@freebsd.org>; Tue, 31 Mar 2009 08:33:34 +0000 (UTC)
	(envelope-from dimitry@andric.com)
Received: from [IPv6:2001:7b8:3a7:0:f8f5:bc79:d36b:4660] (unknown
	[IPv6:2001:7b8:3a7:0:f8f5:bc79:d36b:4660])
	(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
	(No client certificate requested)
	by tensor.andric.com (Postfix) with ESMTPSA id 648DF5C43;
	Tue, 31 Mar 2009 10:33:33 +0200 (CEST)
Message-ID: <49D1D55D.9080008@andric.com>
Date: Tue, 31 Mar 2009 10:33:33 +0200
From: Dimitry Andric <dimitry@andric.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US;
	rv:1.9.1b4pre) Gecko/20090329 Shredder/3.0b3pre
MIME-Version: 1.0
To: Bruce Cran <bruce@cran.org.uk>
References: <20090330222307.25181df6@gluon.draftnet>
In-Reply-To: <20090330222307.25181df6@gluon.draftnet>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: freebsd-stable@freebsd.org
Subject: Re: Off-by-one error in ngets() causing panic in loader(8)?
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2009 08:33:35 -0000

On 2009-03-30 23:23, Bruce Cran wrote:
> I've noticed that if I fill the input buffer at the loader prompt on
> 7-STABLE I get panic with a guard page failure.  From what I can see
> the loader uses the ngets function in src/lib/libstand/gets.c with a
> buffer of size of 256.  If I print out the value of strlen(input) in
> interp.c I get 256. Shouldn't line 77 of gets.c be comparing (lp-buf)
> against (n-1) instead of n?

Yes, either that, or change all callers to use "sizeof buf - 1" or
similar.  However, the latter is not how the normal fgets(3) works, so
it is probably better to fix it in ngets() itself. :)