Off-by-one error in ngets() causing panic in loader(8)?

John Baldwin jhb at
Tue Mar 31 08:03:30 PDT 2009

On Monday 30 March 2009 5:23:07 pm Bruce Cran wrote:
> I've noticed that if I fill the input buffer at the loader prompt on
> 7-STABLE I get panic with a guard page failure.  From what I can see
> the loader uses the ngets function in src/lib/libstand/gets.c with a
> buffer of size of 256.  If I print out the value of strlen(input) in
> interp.c I get 256. Shouldn't line 77 of gets.c be comparing (lp-buf)
> against (n-1) instead of n?

Yep.  I've committed the fix.  The libstand(3) manpage states that ngets() 
puts in at most n - 1 characters followed by a NULL, so n - 1 is the correct 

John Baldwin

More information about the freebsd-stable mailing list