kern/119079: [patch] DDB input routine reads/writes beyond end of buffer

Michael Plass mfp49_freebsd at plass-family.net
Thu Dec 27 15:00:09 PST 2007 

>Number:         119079
>Category:       kern
>Synopsis:       [patch] DDB input routine reads/writes beyond end of buffer
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 27 23:00:09 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator:     Michael Plass
>Release:        FreeBSD 7.0-PRERELEASE amd64
>Organization:
PARC
>Environment:
System: FreeBSD shuttle.plass-family.net 7.0-PRERELEASE FreeBSD 7.0-PRERELEASE #20: Thu Dec 27 13:31:57 PST 2007 root at shuttle.plass-family.net:/usr/obj/usr/src/sys/FASTGENERIC amd64
>Description:
	The ddb input routine db_readline() includes the terminating newline
	and NUL characters in the returned buffer, but it does not take this
	into account when checking against the caller-supplied limit.
>How-To-Repeat:
	Enter DDB and type enough characters to fill the buffer
	(120 characters).  Hit enter, and then use the up-arrow key to
	scroll back through history.  Note that it picks up garbage past the
	end of the original line.
>Fix:
	The patch checks the provided lsize and decreases by two to leave
	room for the newline and NUL; it also clears these two characters,
	because some of the code paths don't provide the terminating NUL.
	(The patch also corrects a problem in history redraw when the cursor
	is not at the end of the line while scrolling back though history.)

--- db_input_bufoverflow.patch begins here ---
Index: db_input.c
===================================================================
RCS file: /home/ncvs/src/sys/ddb/db_input.c,v
retrieving revision 1.37
diff -u -3 -r1.37 db_input.c
--- db_input.c	25 Dec 2007 23:06:51 -0000	1.37
+++ db_input.c	27 Dec 2007 22:04:40 -0000
@@ -250,7 +250,7 @@
 		}
 
 	    hist_redraw:
-		db_putnchars(BACKUP, db_le - db_lbuf_start);
+		db_putnchars(BACKUP, db_lc - db_lbuf_start);
 		db_putnchars(BLANK, db_le - db_lbuf_start);
 		db_putnchars(BACKUP, db_le - db_lbuf_start);
 		db_le = index(db_lbuf_start, '\0');
@@ -302,6 +302,10 @@
 	char *	lstart;
 	int	lsize;
 {
+	if (lsize < 3)
+		return (0);
+	lstart[lsize - 1] = lstart[lsize - 2] = 0;
+	lsize -= 2;	/* allow space for newline and terminating NUL */
 	if (lsize != db_lhistlsize) {
 		/*
 		 * (Re)initialize input line history.  Throw away any
--- db_input_bufoverflow.patch ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list