From owner-p4-projects@FreeBSD.ORG  Sat Sep 24 18:40:31 2005
Return-Path: <owner-p4-projects@FreeBSD.ORG>
X-Original-To: p4-projects@freebsd.org
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id D274C16A421; Sat, 24 Sep 2005 18:40:30 +0000 (GMT)
X-Original-To: perforce@freebsd.org
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A934C16A41F
	for <perforce@freebsd.org>; Sat, 24 Sep 2005 18:40:30 +0000 (GMT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7C32243D48
	for <perforce@freebsd.org>; Sat, 24 Sep 2005 18:40:30 +0000 (GMT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id j8OIeUCT009587
	for <perforce@freebsd.org>; Sat, 24 Sep 2005 18:40:30 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.1/8.13.1/Submit) id j8OIeUc5009583
	for perforce@freebsd.org; Sat, 24 Sep 2005 18:40:30 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Sat, 24 Sep 2005 18:40:30 GMT
Message-Id: <200509241840.j8OIeUc5009583@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 84219 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Sep 2005 18:40:31 -0000

http://perforce.freebsd.org/chv.cgi?CH=84219

Change 84219 by rwatson@rwatson_peppercorn on 2005/09/24 18:40:12

	vn_fullpath() returns a buffer of max length MAXPATHLEN containing
	a nul-terminated path string.  However, the pointer to the path
	may not be the head of the buffer, so attempting to bcopy the
	buffer length may overrun the end of the buffer for reading,
	resulting in a possible invalid memory access.  Because of proper
	nul termination, this did not result in leakage of kernel memory
	to user space, but could result in a panic.

Affected files ...

.. //depot/projects/trustedbsd/audit3/sys/security/audit/kern_bsm_klib.c#11 edit

Differences ...

==== //depot/projects/trustedbsd/audit3/sys/security/audit/kern_bsm_klib.c#11 (text+ko) ====

@@ -449,7 +449,7 @@
 		vn_lock(vnp, LK_EXCLUSIVE | LK_RETRY, td);
 		if (vn_fullpath(td, vnp, &retbuf, &freebuf) == 0) {
 			/* Copy and free buffer allocated by vn_fullpath() */
-			bcopy(retbuf, cpath, MAXPATHLEN);
+			strlcpy(cpath, retbuf, MAXPATHLEN);
 			free(freebuf, M_TEMP); 
 		}
 		else {