Date: Sat, 24 Sep 2005 18:40:30 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 84219 for review Message-ID: <200509241840.j8OIeUc5009583@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=84219 Change 84219 by rwatson@rwatson_peppercorn on 2005/09/24 18:40:12 vn_fullpath() returns a buffer of max length MAXPATHLEN containing a nul-terminated path string. However, the pointer to the path may not be the head of the buffer, so attempting to bcopy the buffer length may overrun the end of the buffer for reading, resulting in a possible invalid memory access. Because of proper nul termination, this did not result in leakage of kernel memory to user space, but could result in a panic. Affected files ... .. //depot/projects/trustedbsd/audit3/sys/security/audit/kern_bsm_klib.c#11 edit Differences ... ==== //depot/projects/trustedbsd/audit3/sys/security/audit/kern_bsm_klib.c#11 (text+ko) ==== @@ -449,7 +449,7 @@ vn_lock(vnp, LK_EXCLUSIVE | LK_RETRY, td); if (vn_fullpath(td, vnp, &retbuf, &freebuf) == 0) { /* Copy and free buffer allocated by vn_fullpath() */ - bcopy(retbuf, cpath, MAXPATHLEN); + strlcpy(cpath, retbuf, MAXPATHLEN); free(freebuf, M_TEMP); } else {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200509241840.j8OIeUc5009583>