usb/138559: [usb8] uether sysctl handler doesn't NUL-terminate the string

Hans Petter Selasky hselasky at c2i.net
Sun Sep 6 06:10:03 UTC 2009 

The following reply was made to PR usb/138559; it has been noted by GNATS.

From: Hans Petter Selasky <hselasky at c2i.net>
To: freebsd-usb at freebsd.org
Cc: Bruce Cran <bruce at cran.org.uk>,
 freebsd-gnats-submit at freebsd.org
Subject: Re: usb/138559: [usb8] uether sysctl handler doesn't NUL-terminate the string
Date: Sun, 6 Sep 2009 08:07:58 +0200

 On Sunday 06 September 2009 00:14:04 Bruce Cran wrote:
 > >Number:         138559
 > >Category:       usb
 > >Synopsis:       [usb8] uether sysctl handler doesn't NUL-terminate the
 > > string Confidential:   no
 > >Severity:       non-critical
 > >Priority:       low
 > >Responsible:    freebsd-usb
 > >State:          open
 > >Quarter:
 > >Keywords:
 > >Date-Required:
 > >Class:          sw-bug
 > >Submitter-Id:   current-users
 > >Arrival-Date:   Sat Sep 05 22:20:03 UTC 2009
 > >Closed-Date:
 > >Last-Modified:
 > >Originator:     Bruce Cran
 > >Release:        8.0-BETA3
 > >Organization:
 > >Environment:
 >
 > FreeBSD gluon.draftnet 8.0-BETA3 FreeBSD 8.0-BETA3 #1: Fri Sep  4 09:20:32
 > BST 2009     brucec at gluon.draftnet:/usr/obj/usr/src/sys/GENERIC  i386
 >
 > >Description:
 >
 > The sysctl handler in sys/dev/usb/net/usb_ethernet.c line 143 doesn't
 > NUL-terminate the sysctl string returned to the user because it passes the
 > length as "strlen(name)" instead of "strlen(name)+1".
 >
 > >How-To-Repeat:
 > >
 > >Fix:
 >
 > Patch attached with submission follows:
 >
 > --- usb_ethernet.c.orig	2009-09-05 21:35:09.000000000 +0100
 > +++ usb_ethernet.c	2009-09-05 21:36:18.000000000 +0100
 > @@ -146,7 +146,7 @@
 >  	const char *name;
 >
 >  	name = device_get_nameunit(ue->ue_dev);
 > -	return SYSCTL_OUT(req, name, strlen(name));
 > +	return SYSCTL_OUT(req, name, strlen(name) + 1);
 >  }
 >
 >  int
 >
 > >Release-Note:
 > >Audit-Trail:
 > >Unformatted:
 
 Hi,
 
 When plugging an USB ethernet adapter and printing out all sysctls, the parent 
 string does not look corrupt. Are you sure that the terminating zero is not 
 inserted somewhere else?
 
 --HPS

More information about the freebsd-usb mailing list