Date: Mon, 16 Mar 2015 11:03:50 -0400 From: John Baldwin <jhb@freebsd.org> To: Ian Lepore <ian@freebsd.org> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r280000 - head/sys/kern Message-ID: <12549176.JQXl7VCYPu@ralph.baldwin.cx> In-Reply-To: <201503141846.t2EIkX9f022164@svn.freebsd.org> References: <201503141846.t2EIkX9f022164@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Saturday, March 14, 2015 06:46:33 PM Ian Lepore wrote: > Author: ian > Date: Sat Mar 14 18:46:33 2015 > New Revision: 280000 > URL: https://svnweb.freebsd.org/changeset/base/280000 > > Log: > Use sbuf_new_for_sysctl() instead of plain sbuf_new() to ensure sysctl > string returned to userland is nulterminated. > > PR: 195668 > > Modified: > head/sys/kern/kern_fail.c > > Modified: head/sys/kern/kern_fail.c > ============================================================================== > --- head/sys/kern/kern_fail.c Sat Mar 14 18:42:30 2015 (r279999) > +++ head/sys/kern/kern_fail.c Sat Mar 14 18:46:33 2015 (r280000) > @@ -394,11 +394,10 @@ fail_point_sysctl(SYSCTL_HANDLER_ARGS) > int error; > > /* Retrieving */ > - sbuf_new(&sb, NULL, 128, SBUF_AUTOEXTEND); > + sbuf_new_for_sysctl(&sb, NULL, 128, req); > fail_point_get(fp, &sb); > sbuf_trim(&sb); > - sbuf_finish(&sb); > - error = SYSCTL_OUT(req, sbuf_data(&sb), sbuf_len(&sb)); > + error = sbuf_finish(&sb); > sbuf_delete(&sb); This one is also unsafe (fail_point_get() uses sbuf_printf() under FP_LOCK()). -- John Baldwin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?12549176.JQXl7VCYPu>