Date: Fri, 6 Nov 2009 16:20:35 +0100 From: Attilio Rao <attilio@freebsd.org> To: freebsd-new-bus@freebsd.org, John Baldwin <jhb@freebsd.org>, Scott Long <scottl@freebsd.org>, Warner Losh <imp@freebsd.org>, Ed Maste <emaste@sandvine.com> Subject: [PATCH] Buffer overflow in devclass_add_device() Message-ID: <3bbf2fe10911060720m6d6919ffw91dcc5b6c1c2016a@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
A buffer overflow is possible in devclass_add_device(). More specifically, the dev nameunit construction is based on the assumption that the unit linked with the device is invariant but that can change when calling devclass_alloc_unit() (because -1 is passed or, more simply, because the unit choosen is beyond the table limits). This results in a buffer overflow if the bug is too short on the second snprintf(). This patch should fix it: http://www.freebsd.org/~attilio/Sandvine/STABLE_8/subr_bus/subr_bus.diff aiming for the max possible number of digits necessary. This bug has been found by Sandvine Incorporated. Please reivew. Thanks, Attilio -- Peace can only be achieved by understanding - A. Einstein
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3bbf2fe10911060720m6d6919ffw91dcc5b6c1c2016a>