Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 6 Sep 2009 08:07:58 +0200
From:      Hans Petter Selasky <hselasky@c2i.net>
To:        freebsd-usb@freebsd.org
Cc:        freebsd-gnats-submit@freebsd.org
Subject:   Re: usb/138559: [usb8] uether sysctl handler doesn't NUL-terminate the string
Message-ID:  <200909060807.59357.hselasky@c2i.net>
In-Reply-To: <200909052214.n85ME42B047658@www.freebsd.org>
References:  <200909052214.n85ME42B047658@www.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sunday 06 September 2009 00:14:04 Bruce Cran wrote:
> >Number:         138559
> >Category:       usb
> >Synopsis:       [usb8] uether sysctl handler doesn't NUL-terminate the
> > string Confidential:   no
> >Severity:       non-critical
> >Priority:       low
> >Responsible:    freebsd-usb
> >State:          open
> >Quarter:
> >Keywords:
> >Date-Required:
> >Class:          sw-bug
> >Submitter-Id:   current-users
> >Arrival-Date:   Sat Sep 05 22:20:03 UTC 2009
> >Closed-Date:
> >Last-Modified:
> >Originator:     Bruce Cran
> >Release:        8.0-BETA3
> >Organization:
> >Environment:
>
> FreeBSD gluon.draftnet 8.0-BETA3 FreeBSD 8.0-BETA3 #1: Fri Sep  4 09:20:32
> BST 2009     brucec@gluon.draftnet:/usr/obj/usr/src/sys/GENERIC  i386
>
> >Description:
>
> The sysctl handler in sys/dev/usb/net/usb_ethernet.c line 143 doesn't
> NUL-terminate the sysctl string returned to the user because it passes the
> length as "strlen(name)" instead of "strlen(name)+1".
>
> >How-To-Repeat:
> >
> >Fix:
>
> Patch attached with submission follows:
>
> --- usb_ethernet.c.orig	2009-09-05 21:35:09.000000000 +0100
> +++ usb_ethernet.c	2009-09-05 21:36:18.000000000 +0100
> @@ -146,7 +146,7 @@
>  	const char *name;
>
>  	name = device_get_nameunit(ue->ue_dev);
> -	return SYSCTL_OUT(req, name, strlen(name));
> +	return SYSCTL_OUT(req, name, strlen(name) + 1);
>  }
>
>  int
>
> >Release-Note:
> >Audit-Trail:
> >Unformatted:

Hi,

When plugging an USB ethernet adapter and printing out all sysctls, the parent 
string does not look corrupt. Are you sure that the terminating zero is not 
inserted somewhere else?

--HPS

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200909060807.59357.hselasky>