Date: Tue, 31 Mar 2009 10:33:33 +0200 From: Dimitry Andric <dimitry@andric.com> To: Bruce Cran <bruce@cran.org.uk> Cc: freebsd-stable@freebsd.org Subject: Re: Off-by-one error in ngets() causing panic in loader(8)? Message-ID: <49D1D55D.9080008@andric.com> In-Reply-To: <20090330222307.25181df6@gluon.draftnet> References: <20090330222307.25181df6@gluon.draftnet>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2009-03-30 23:23, Bruce Cran wrote: > I've noticed that if I fill the input buffer at the loader prompt on > 7-STABLE I get panic with a guard page failure. From what I can see > the loader uses the ngets function in src/lib/libstand/gets.c with a > buffer of size of 256. If I print out the value of strlen(input) in > interp.c I get 256. Shouldn't line 77 of gets.c be comparing (lp-buf) > against (n-1) instead of n? Yes, either that, or change all callers to use "sizeof buf - 1" or similar. However, the latter is not how the normal fgets(3) works, so it is probably better to fix it in ngets() itself. :)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49D1D55D.9080008>