Date: Tue, 31 Mar 2009 10:31:34 -0400 From: John Baldwin <jhb@freebsd.org> To: freebsd-stable@freebsd.org Cc: Bruce Cran <bruce@cran.org.uk> Subject: Re: Off-by-one error in ngets() causing panic in loader(8)? Message-ID: <200903311031.34730.jhb@freebsd.org> In-Reply-To: <20090330222307.25181df6@gluon.draftnet> References: <20090330222307.25181df6@gluon.draftnet>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 30 March 2009 5:23:07 pm Bruce Cran wrote: > I've noticed that if I fill the input buffer at the loader prompt on > 7-STABLE I get panic with a guard page failure. From what I can see > the loader uses the ngets function in src/lib/libstand/gets.c with a > buffer of size of 256. If I print out the value of strlen(input) in > interp.c I get 256. Shouldn't line 77 of gets.c be comparing (lp-buf) > against (n-1) instead of n? Yep. I've committed the fix. The libstand(3) manpage states that ngets() puts in at most n - 1 characters followed by a NULL, so n - 1 is the correct fix. -- John Baldwin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200903311031.34730.jhb>