From owner-freebsd-stable@FreeBSD.ORG Tue Mar 31 15:03:29 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7C729106566C for ; Tue, 31 Mar 2009 15:03:29 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 4CDDC8FC16 for ; Tue, 31 Mar 2009 15:03:29 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from server.baldwin.cx (pool-98-109-39-197.nwrknj.fios.verizon.net [98.109.39.197]) by cyrus.watson.org (Postfix) with ESMTPSA id ECD3C46B2D; Tue, 31 Mar 2009 11:03:28 -0400 (EDT) Received: from localhost (john@localhost [127.0.0.1]) (authenticated bits=0) by server.baldwin.cx (8.14.3/8.14.3) with ESMTP id n2VF3Na0032302; Tue, 31 Mar 2009 11:03:23 -0400 (EDT) (envelope-from jhb@freebsd.org) From: John Baldwin To: freebsd-stable@freebsd.org Date: Tue, 31 Mar 2009 10:31:34 -0400 User-Agent: KMail/1.9.7 References: <20090330222307.25181df6@gluon.draftnet> In-Reply-To: <20090330222307.25181df6@gluon.draftnet> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200903311031.34730.jhb@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-2.0.2 (server.baldwin.cx [127.0.0.1]); Tue, 31 Mar 2009 11:03:23 -0400 (EDT) X-Virus-Scanned: ClamAV 0.94.2/9186/Tue Mar 31 05:51:33 2009 on server.baldwin.cx X-Virus-Status: Clean X-Spam-Status: No, score=-4.4 required=4.2 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.1.3 X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on server.baldwin.cx Cc: Bruce Cran Subject: Re: Off-by-one error in ngets() causing panic in loader(8)? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2009 15:03:30 -0000 On Monday 30 March 2009 5:23:07 pm Bruce Cran wrote: > I've noticed that if I fill the input buffer at the loader prompt on > 7-STABLE I get panic with a guard page failure. From what I can see > the loader uses the ngets function in src/lib/libstand/gets.c with a > buffer of size of 256. If I print out the value of strlen(input) in > interp.c I get 256. Shouldn't line 77 of gets.c be comparing (lp-buf) > against (n-1) instead of n? Yep. I've committed the fix. The libstand(3) manpage states that ngets() puts in at most n - 1 characters followed by a NULL, so n - 1 is the correct fix. -- John Baldwin