Date: Sat, 2 May 2015 08:31:17 +0000 (UTC) From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r282337 - head/sys/kern Message-ID: <201505020831.t428VHGQ019788@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bz Date: Sat May 2 08:31:16 2015 New Revision: 282337 URL: https://svnweb.freebsd.org/changeset/base/282337 Log: Fix an off-by-one bug in string/array handling which lead to memory overwrite and follow-up assertion errors on at least ARM after r282257, with nvp_magic being 0x6e7600: Assertion failed: ((nvp)->nvp_magic == 0x6e7670), function nvpair_name, file .../subr_nvpair.c, line 713. Sponsored by: DARPA/AFRL Modified: head/sys/kern/subr_nvpair.c Modified: head/sys/kern/subr_nvpair.c ============================================================================== --- head/sys/kern/subr_nvpair.c Sat May 2 04:19:11 2015 (r282336) +++ head/sys/kern/subr_nvpair.c Sat May 2 08:31:16 2015 (r282337) @@ -733,7 +733,7 @@ nvpair_allocv(const char *name, int type if (nvp != NULL) { nvp->nvp_name = (char *)(nvp + 1); memcpy(nvp->nvp_name, name, namelen); - nvp->nvp_name[namelen + 1] = '\0'; + nvp->nvp_name[namelen] = '\0'; nvp->nvp_type = type; nvp->nvp_data = data; nvp->nvp_datasize = datasize;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201505020831.t428VHGQ019788>