svn commit: r318790 - head/usr.sbin/bootparamd/bootparamd
Alan Somers
asomers at FreeBSD.org
Wed May 24 16:30:39 UTC 2017
Author: asomers
Date: Wed May 24 16:30:38 2017
New Revision: 318790
URL: https://svnweb.freebsd.org/changeset/base/318790
Log:
Fix a buffer overflow in bootparamd(8)
If /etc/bootparams contains a line with an excessively long pathname, and a
client asks for that path, then bootparamd will overflow a buffer and crash
while parsing that line. This is not remotely exploitable since it requires
a malformed /etc/bootparams file.
Reported by: Coverity
CID: 1305954
MFC after: 1 week
Sponsored by: Spectra Logic Corp
Modified:
head/usr.sbin/bootparamd/bootparamd/bootparamd.c
Modified: head/usr.sbin/bootparamd/bootparamd/bootparamd.c
==============================================================================
--- head/usr.sbin/bootparamd/bootparamd/bootparamd.c Wed May 24 14:36:51 2017 (r318789)
+++ head/usr.sbin/bootparamd/bootparamd/bootparamd.c Wed May 24 16:30:38 2017 (r318790)
@@ -199,7 +199,10 @@ int blen;
int ch, pch, fid_len, res = 0;
int match = 0;
- char info[MAX_FILEID + MAX_PATH_LEN+MAX_MACHINE_NAME + 3];
+#define INFOLEN 1343
+ _Static_assert(INFOLEN >= MAX_FILEID + MAX_PATH_LEN+MAX_MACHINE_NAME + 3,
+ "INFOLEN isn't large enough");
+ char info[INFOLEN + 1];
bpf = fopen(bootpfile, "r");
if ( ! bpf )
@@ -251,8 +254,9 @@ int blen;
info of the file */
if (match) {
- fid_len = strlen(fileid);
- while ( ! res && (fscanf(bpf,"%s", info)) > 0) { /* read a string */
+#define AS_FORMAT(d) "%" #d "s"
+#define REXPAND(d) AS_FORMAT(d) /* Force another preprocessor expansion */
+ while ( ! res && (fscanf(bpf, REXPAND(INFOLEN), info)) > 0) {
ch = getc(bpf); /* and a character */
if ( *info != '#' ) { /* Comment ? */
if (! strncmp(info, fileid, fid_len) && *(info + fid_len) == '=') {
More information about the svn-src-head
mailing list