[PATCH] Buffer overflow in devclass_add_device()
John Baldwin
jhb at freebsd.org
Fri Nov 6 15:51:04 UTC 2009
On Friday 06 November 2009 10:20:35 am Attilio Rao wrote:
> A buffer overflow is possible in devclass_add_device().
> More specifically, the dev nameunit construction is based on the
> assumption that the unit linked with the device is invariant but that
> can change when calling devclass_alloc_unit() (because -1 is passed
> or, more simply, because the unit choosen is beyond the table limits).
> This results in a buffer overflow if the bug is too short on the
> second snprintf().
> This patch should fix it:
> http://www.freebsd.org/~attilio/Sandvine/STABLE_8/subr_bus/subr_bus.diff
>
> aiming for the max possible number of digits necessary.
> This bug has been found by Sandvine Incorporated.
> Please reivew.
Looks ok to me.
--
John Baldwin
More information about the freebsd-new-bus
mailing list