svn commit: r316768 - head/lib/libc/gen

Thu Apr 13 15:52:46 UTC 2017

Author: brooks
Date: Thu Apr 13 15:52:45 2017
New Revision: 316768
URL: https://svnweb.freebsd.org/changeset/base/316768

Log:
  Fix an out-of-bounds write when a zero-length buffer is passed.
  
  Found with ttyname_test and CHERI bounds checking.
  
  Reviewed by:	emaste
  Obtained from:	CheriBSD
  MFC after:	1 week
  Sponsored by:	DARPA, AFRL
  Differential Revision:	https://reviews.freebsd.org/D10377

Modified:
  head/lib/libc/gen/ttyname.c

Modified: head/lib/libc/gen/ttyname.c
==============================================================================

--- head/lib/libc/gen/ttyname.c	Thu Apr 13 15:49:55 2017	(r316767)
+++ head/lib/libc/gen/ttyname.c	Thu Apr 13 15:52:45 2017	(r316768)
@@ -61,6 +61,10 @@ ttyname_r(int fd, char *buf, size_t len)
 {
 	size_t used;
 
+	/* Don't write off the end of a zero-length buffer. */
+	if (len < 1)
+		return (ERANGE);
+
 	*buf = '\0';
 
 	/* Must be a terminal. */
