From owner-freebsd-new-bus@FreeBSD.ORG Fri Nov 6 16:22:38 2009 Return-Path: Delivered-To: freebsd-new-bus@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7F5A3106566B; Fri, 6 Nov 2009 16:22:38 +0000 (UTC) (envelope-from asmrookie@gmail.com) Received: from mail-fx0-f227.google.com (mail-fx0-f227.google.com [209.85.220.227]) by mx1.freebsd.org (Postfix) with ESMTP id BBA0B8FC12; Fri, 6 Nov 2009 16:22:37 +0000 (UTC) Received: by fxm27 with SMTP id 27so286580fxm.3 for ; Fri, 06 Nov 2009 08:22:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type; bh=gs6AJOmdSDwPe8i787BzduMD+KlE9Xi7F3SfxyYHYFw=; b=TcEIV9QjqKCor26smMuMIMRt8emZvrblZN4m7VFp/I6z35aEQHSQhWiGmkte10L+po 1ccrAXeLkBirn+YEQqfHWABgAIG7aLOcLgG41bAdLlEYsE+8RTdQEZE/Ud70ignTzj/k 5YZC15ZsqU9yV7oLObkfHgLzc+tF3YdyKTWok= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=d/8ujNUR4Q6+SQGQ5ClBW18OCI4ol1/fdSdoCLvWKfGlup4qsQwxjgX/M8vg/q9t16 l5OPoawv4cCo79OqsT+NJVNjZ1pYmC88RvZ5DHjU3ECUdUwPFLAeVo7e+MyaGRPV/LSJ 5hLDvLEwOY9lnnkflP2L8eB9QUY2FPskH1nS8= MIME-Version: 1.0 Sender: asmrookie@gmail.com Received: by 10.223.4.137 with SMTP id 9mr689643far.95.1257524556646; Fri, 06 Nov 2009 08:22:36 -0800 (PST) In-Reply-To: <20091106.091543.2076840904.imp@bsdimp.com> References: <3bbf2fe10911060720m6d6919ffw91dcc5b6c1c2016a@mail.gmail.com> <20091106.091543.2076840904.imp@bsdimp.com> Date: Fri, 6 Nov 2009 17:22:36 +0100 X-Google-Sender-Auth: 50616e67bd1f94dd Message-ID: <3bbf2fe10911060822g35b81099ib6fa53473d7c20fe@mail.gmail.com> From: Attilio Rao To: "M. Warner Losh" Content-Type: text/plain; charset=UTF-8 Cc: freebsd-new-bus@freebsd.org, scottl@freebsd.org, emaste@sandvine.com Subject: Re: [PATCH] Buffer overflow in devclass_add_device() X-BeenThere: freebsd-new-bus@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: FreeBSD's new-bus architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Nov 2009 16:22:38 -0000 2009/11/6 M. Warner Losh : > In message: <3bbf2fe10911060720m6d6919ffw91dcc5b6c1c2016a@mail.gmail.com> > Attilio Rao writes: > : A buffer overflow is possible in devclass_add_device(). > : More specifically, the dev nameunit construction is based on the > : assumption that the unit linked with the device is invariant but that > : can change when calling devclass_alloc_unit() (because -1 is passed > : or, more simply, because the unit choosen is beyond the table limits). > : This results in a buffer overflow if the bug is too short on the > : second snprintf(). > : This patch should fix it: > : http://www.freebsd.org/~attilio/Sandvine/STABLE_8/subr_bus/subr_bus.diff > : > : aiming for the max possible number of digits necessary. > : This bug has been found by Sandvine Incorporated. > : Please reivew. > > I don't see a problem with it, except you'd want -INT_MAX to be > paranoid, since it is one character longer (or just add 1) :) I don't think that unit number can grow negative, can they? Thanks, Attilio -- Peace can only be achieved by understanding - A. Einstein