From owner-svn-src-all@FreeBSD.ORG Mon Mar 16 15:23:23 2015 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 75B3660C; Mon, 16 Mar 2015 15:23:23 +0000 (UTC) Received: from bigwig.baldwin.cx (bigwig.baldwin.cx [IPv6:2001:470:1f11:75::1]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4E2D0128; Mon, 16 Mar 2015 15:23:23 +0000 (UTC) Received: from ralph.baldwin.cx (pool-173-54-116-245.nwrknj.fios.verizon.net [173.54.116.245]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id 63B80B99B; Mon, 16 Mar 2015 11:23:22 -0400 (EDT) From: John Baldwin To: Ian Lepore Subject: Re: svn commit: r280000 - head/sys/kern Date: Mon, 16 Mar 2015 11:03:50 -0400 Message-ID: <12549176.JQXl7VCYPu@ralph.baldwin.cx> User-Agent: KMail/4.14.2 (FreeBSD/10.1-STABLE; KDE/4.14.2; amd64; ; ) In-Reply-To: <201503141846.t2EIkX9f022164@svn.freebsd.org> References: <201503141846.t2EIkX9f022164@svn.freebsd.org> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (bigwig.baldwin.cx); Mon, 16 Mar 2015 11:23:22 -0400 (EDT) Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Mar 2015 15:23:23 -0000 On Saturday, March 14, 2015 06:46:33 PM Ian Lepore wrote: > Author: ian > Date: Sat Mar 14 18:46:33 2015 > New Revision: 280000 > URL: https://svnweb.freebsd.org/changeset/base/280000 > > Log: > Use sbuf_new_for_sysctl() instead of plain sbuf_new() to ensure sysctl > string returned to userland is nulterminated. > > PR: 195668 > > Modified: > head/sys/kern/kern_fail.c > > Modified: head/sys/kern/kern_fail.c > ============================================================================== > --- head/sys/kern/kern_fail.c Sat Mar 14 18:42:30 2015 (r279999) > +++ head/sys/kern/kern_fail.c Sat Mar 14 18:46:33 2015 (r280000) > @@ -394,11 +394,10 @@ fail_point_sysctl(SYSCTL_HANDLER_ARGS) > int error; > > /* Retrieving */ > - sbuf_new(&sb, NULL, 128, SBUF_AUTOEXTEND); > + sbuf_new_for_sysctl(&sb, NULL, 128, req); > fail_point_get(fp, &sb); > sbuf_trim(&sb); > - sbuf_finish(&sb); > - error = SYSCTL_OUT(req, sbuf_data(&sb), sbuf_len(&sb)); > + error = sbuf_finish(&sb); > sbuf_delete(&sb); This one is also unsafe (fail_point_get() uses sbuf_printf() under FP_LOCK()). -- John Baldwin