From owner-p4-projects@FreeBSD.ORG Fri Nov 7 00:29:29 2014 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id B06CD805; Fri, 7 Nov 2014 00:29:29 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 70F20803 for ; Fri, 7 Nov 2014 00:29:29 +0000 (UTC) Received: from skunkworks.freebsd.org (skunkworks.freebsd.org [IPv6:2001:1900:2254:2068::682:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5D6BB8D5 for ; Fri, 7 Nov 2014 00:29:29 +0000 (UTC) Received: from skunkworks.freebsd.org ([127.0.1.74]) by skunkworks.freebsd.org (8.14.9/8.14.9) with ESMTP id sA70TTHS011715 for ; Fri, 7 Nov 2014 00:29:29 GMT (envelope-from jmg@freebsd.org) Received: (from perforce@localhost) by skunkworks.freebsd.org (8.14.9/8.14.9/Submit) id sA70TTsD011712 for perforce@freebsd.org; Fri, 7 Nov 2014 00:29:29 GMT (envelope-from jmg@freebsd.org) Date: Fri, 7 Nov 2014 00:29:29 GMT Message-Id: <201411070029.sA70TTsD011712@skunkworks.freebsd.org> X-Authentication-Warning: skunkworks.freebsd.org: perforce set sender to jmg@freebsd.org using -f From: John-Mark Gurney Subject: PERFORCE change 1202586 for review To: Perforce Change Reviews Precedence: bulk X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Nov 2014 00:29:30 -0000 http://p4web.freebsd.org/@@1202586?ac=10 Change 1202586 by jmg@jmg_carbon2 on 2014/11/07 00:28:51 make sure that the passed in name is NUL terminated so we don't strlen random kernel memory... use strncpy here... Even though we aren't leaking kernel memory, it's cleaner to NUL out the remaining buffer... for those that ask, there is a security reason why strncpy exists... Sponsored by: FreeBSD Foundation Sponsored by: Netgate Affected files ... .. //depot/projects/opencrypto/sys/opencrypto/cryptodev.c#11 edit Differences ... ==== //depot/projects/opencrypto/sys/opencrypto/cryptodev.c#11 (text+ko) ==== @@ -1151,14 +1151,16 @@ cryptodev_find(struct crypt_find_op *find) { device_t dev; + size_t fnlen = sizeof find->name; if (find->crid != -1) { dev = crypto_find_device_byhid(find->crid); if (dev == NULL) return (ENOENT); - strlcpy(find->name, device_get_nameunit(dev), - sizeof(find->name)); + strncpy(find->name, device_get_nameunit(dev), fnlen); + find->name[fnlen - 1] = '\x0'; } else { + find->name[fnlen - 1] = '\x0'; find->crid = crypto_find_driver(find->name); if (find->crid == -1) return (ENOENT);