Date: Tue, 25 Jun 2019 19:06:44 +0000 (UTC) From: Ed Maste <emaste@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r349385 - head/usr.sbin/bhyve Message-ID: <201906251906.x5PJ6iZI072231@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: emaste Date: Tue Jun 25 19:06:43 2019 New Revision: 349385 URL: https://svnweb.freebsd.org/changeset/base/349385 Log: bhyve: avoid theoretical stack buffer overflow from integer overflow Use the proper size_t type to match strlen's return type. This is not exploitable in practice as this parses command line arguments, which are limited to well below 2^31 bytes. This is a minimal change to address the reported issue; hda_parse_config and the rest of this file will benefit from further review. Reported by: Fakhri Zulkifli Reviewed by: jhb, markj MFC after: 3 days Sponsored by: The FreeBSD Foundation Modified: head/usr.sbin/bhyve/pci_hda.c Modified: head/usr.sbin/bhyve/pci_hda.c ============================================================================== --- head/usr.sbin/bhyve/pci_hda.c Tue Jun 25 18:58:51 2019 (r349384) +++ head/usr.sbin/bhyve/pci_hda.c Tue Jun 25 19:06:43 2019 (r349385) @@ -324,15 +324,14 @@ hda_parse_config(const char *opts, const char *key, ch char buf[64]; char *s = buf; char *tmp = NULL; - int len; + size_t len; int i; if (!opts) return (0); len = strlen(opts); - - if (len >= 64) { + if (len >= sizeof(buf)) { DPRINTF("Opts too big\n"); return (0); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201906251906.x5PJ6iZI072231>