[PATCH] Buffer overflow in devclass_add_device()
Attilio Rao
attilio at freebsd.org
Fri Nov 6 15:52:08 UTC 2009
A buffer overflow is possible in devclass_add_device().
More specifically, the dev nameunit construction is based on the
assumption that the unit linked with the device is invariant but that
can change when calling devclass_alloc_unit() (because -1 is passed
or, more simply, because the unit choosen is beyond the table limits).
This results in a buffer overflow if the bug is too short on the
second snprintf().
This patch should fix it:
http://www.freebsd.org/~attilio/Sandvine/STABLE_8/subr_bus/subr_bus.diff
aiming for the max possible number of digits necessary.
This bug has been found by Sandvine Incorporated.
Please reivew.
Thanks,
Attilio
--
Peace can only be achieved by understanding - A. Einstein
More information about the freebsd-new-bus
mailing list