[PATCH] Buffer overflow in devclass_add_device()
M. Warner Losh
imp at bsdimp.com
Fri Nov 6 16:21:11 UTC 2009
In message: <3bbf2fe10911060720m6d6919ffw91dcc5b6c1c2016a at mail.gmail.com>
Attilio Rao <attilio at FreeBSD.org> writes:
: A buffer overflow is possible in devclass_add_device().
: More specifically, the dev nameunit construction is based on the
: assumption that the unit linked with the device is invariant but that
: can change when calling devclass_alloc_unit() (because -1 is passed
: or, more simply, because the unit choosen is beyond the table limits).
: This results in a buffer overflow if the bug is too short on the
: second snprintf().
: This patch should fix it:
: http://www.freebsd.org/~attilio/Sandvine/STABLE_8/subr_bus/subr_bus.diff
:
: aiming for the max possible number of digits necessary.
: This bug has been found by Sandvine Incorporated.
: Please reivew.
I don't see a problem with it, except you'd want -INT_MAX to be
paranoid, since it is one character longer (or just add 1) :)
However, it might be better to just allocate strlen(dc->name) +
log10(INT_MAX) + 2 and not have snprintf do that calculation. But it
doesn't look like there's a compile-time constant for that...
Warner
More information about the freebsd-new-bus
mailing list