Date: Fri, 7 Nov 2014 00:29:29 GMT From: John-Mark Gurney <jmg@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 1202586 for review Message-ID: <201411070029.sA70TTsD011712@skunkworks.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://p4web.freebsd.org/@@1202586?ac=10 Change 1202586 by jmg@jmg_carbon2 on 2014/11/07 00:28:51 make sure that the passed in name is NUL terminated so we don't strlen random kernel memory... use strncpy here... Even though we aren't leaking kernel memory, it's cleaner to NUL out the remaining buffer... for those that ask, there is a security reason why strncpy exists... Sponsored by: FreeBSD Foundation Sponsored by: Netgate Affected files ... .. //depot/projects/opencrypto/sys/opencrypto/cryptodev.c#11 edit Differences ... ==== //depot/projects/opencrypto/sys/opencrypto/cryptodev.c#11 (text+ko) ==== @@ -1151,14 +1151,16 @@ cryptodev_find(struct crypt_find_op *find) { device_t dev; + size_t fnlen = sizeof find->name; if (find->crid != -1) { dev = crypto_find_device_byhid(find->crid); if (dev == NULL) return (ENOENT); - strlcpy(find->name, device_get_nameunit(dev), - sizeof(find->name)); + strncpy(find->name, device_get_nameunit(dev), fnlen); + find->name[fnlen - 1] = '\x0'; } else { + find->name[fnlen - 1] = '\x0'; find->crid = crypto_find_driver(find->name); if (find->crid == -1) return (ENOENT);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201411070029.sA70TTsD011712>