[Bug 238486] Possible buffer overflow bug in sc_allocate_keyboard() of sys/dev/syscons/syscons.c
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Jun 11 07:48:40 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238486
Bug ID: 238486
Summary: Possible buffer overflow bug in sc_allocate_keyboard()
of sys/dev/syscons/syscons.c
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: bugs at FreeBSD.org
Reporter: yangx92 at hotmail.com
Created attachment 204976
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=204976&action=edit
Proposed patch
There is a possible buffer overflow bug in sc_allocate_keyboard() of
sys/dev/syscons/syscons.c.
k0 = kbd_get_keyboard(idx0);
for (idx = kbd_find_keyboard2("*", -1, 0);
idx != -1;
idx = kbd_find_keyboard2("*", -1, idx + 1)) {
k = kbd_get_keyboard(idx);
if (idx == idx0 || KBD_IS_BUSY(k))
continue;
bzero(&ki, sizeof(ki));
strcpy(ki.kb_name, k->kb_name);
ki.kb_unit = k->kb_unit;
(void)kbdd_ioctl(k0, KBADDKBD, (caddr_t) &ki);
}
We should use strncpy to copy into a fixed-size buffer instead of strcpy().
The attachment is the proposed patch.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list