Date: Tue, 12 Feb 2013 09:34:37 +0100 From: Christoph Mallon <christoph.mallon@gmx.de> To: FreeBSD-gnats-submit@freebsd.org Subject: i386/176053: [PATCH] i386: Correct wrong usage of vsnprintf() Message-ID: <E1U5BK1-0006ui-CR@rotluchs.lokal> Resent-Message-ID: <201302120840.r1C8e0d7031472@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 176053 >Category: i386 >Synopsis: [PATCH] i386: Correct wrong usage of vsnprintf() >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-i386 >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Tue Feb 12 08:40:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Christoph Mallon >Release: >Organization: >Environment: >Description: printk() uses snprintf() wrong, which may lead to a buffer overrun. retval might be larger than the size of buf. In this case buf[retval] = 0; will write beyond the end of buf. >How-To-Repeat: >Fix: Please apply the patch. --- 0001-i386-Correct-wrong-usage-of-vsnprintf.patch begins here --- >From 1fdbba2f44e3e2782c044d5b6a91beb701d10072 Mon Sep 17 00:00:00 2001 From: Christoph Mallon <christoph.mallon@gmx.de> Date: Sat, 12 Jan 2013 09:36:40 +0100 Subject: [PATCH] i386: Correct wrong usage of vsnprintf(). - vsnprintf() always NUL terminates the string. - retval might be larger than the size of buf. --- sys/i386/xen/xen_machdep.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/sys/i386/xen/xen_machdep.c b/sys/i386/xen/xen_machdep.c index 3b3da6f..32352bc 100644 --- a/sys/i386/xen/xen_machdep.c +++ b/sys/i386/xen/xen_machdep.c @@ -177,18 +177,17 @@ xen_boothowto(char *envp) return howto; } -#define PRINTK_BUFSIZE 1024 void printk(const char *fmt, ...) { __va_list ap; int retval; - static char buf[PRINTK_BUFSIZE]; + static char buf[1024]; va_start(ap, fmt); - retval = vsnprintf(buf, PRINTK_BUFSIZE - 1, fmt, ap); + retval = vsnprintf(buf, sizeof(buf), fmt, ap); va_end(ap); - buf[retval] = 0; + retval = min(retval, (int)sizeof(buf) - 1); (void)HYPERVISOR_console_write(buf, retval); } -- 1.8.1.3 --- 0001-i386-Correct-wrong-usage-of-vsnprintf.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1U5BK1-0006ui-CR>