Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 12 Feb 2013 09:34:37 +0100
From:      Christoph Mallon <christoph.mallon@gmx.de>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   i386/176053: [PATCH] i386: Correct wrong usage of vsnprintf()
Message-ID:  <E1U5BK1-0006ui-CR@rotluchs.lokal>
Resent-Message-ID: <201302120840.r1C8e0d7031472@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         176053
>Category:       i386
>Synopsis:       [PATCH] i386: Correct wrong usage of vsnprintf()
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-i386
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Feb 12 08:40:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Christoph Mallon
>Release:        
>Organization:
>Environment:


	
>Description:
printk() uses snprintf() wrong, which may lead to a buffer overrun.
retval might be larger than the size of buf.
In this case buf[retval] = 0; will write beyond the end of buf.
>How-To-Repeat:
	
>Fix:
Please apply the patch.

--- 0001-i386-Correct-wrong-usage-of-vsnprintf.patch begins here ---
>From 1fdbba2f44e3e2782c044d5b6a91beb701d10072 Mon Sep 17 00:00:00 2001
From: Christoph Mallon <christoph.mallon@gmx.de>
Date: Sat, 12 Jan 2013 09:36:40 +0100
Subject: [PATCH] i386: Correct wrong usage of vsnprintf().

- vsnprintf() always NUL terminates the string.
- retval might be larger than the size of buf.
---
 sys/i386/xen/xen_machdep.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/sys/i386/xen/xen_machdep.c b/sys/i386/xen/xen_machdep.c
index 3b3da6f..32352bc 100644
--- a/sys/i386/xen/xen_machdep.c
+++ b/sys/i386/xen/xen_machdep.c
@@ -177,18 +177,17 @@ xen_boothowto(char *envp)
 	return howto;
 }
 
-#define PRINTK_BUFSIZE 1024
 void
 printk(const char *fmt, ...)
 {
         __va_list ap;
         int retval;
-        static char buf[PRINTK_BUFSIZE];
+	static char buf[1024];
 
         va_start(ap, fmt);
-        retval = vsnprintf(buf, PRINTK_BUFSIZE - 1, fmt, ap);
+	retval = vsnprintf(buf, sizeof(buf), fmt, ap);
         va_end(ap);
-        buf[retval] = 0;
+	retval = min(retval, (int)sizeof(buf) - 1);
         (void)HYPERVISOR_console_write(buf, retval);
 }
 
-- 
1.8.1.3
--- 0001-i386-Correct-wrong-usage-of-vsnprintf.patch ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1U5BK1-0006ui-CR>