buffer overflow in devclass_add_device()...

To: new-bus@xxxxxxxxxxx
Subject: buffer overflow in devclass_add_device()...
From: John Baldwin <jhb@xxxxxxxxxxx>
Date: Mon, 05 Aug 2002 08:45:07 -0400 (EDT)
Delivered-to: freebsd-new-bus@xxxxxxxxxxx
List-archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-id: <freebsd-new-bus.FreeBSD.ORG>
List-subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-new-bus>
List-unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-new-bus>
Sender: owner-freebsd-new-bus@xxxxxxxxxxx

Just in case you all didn't know this already, in the case of an
unwired device (dev->unit == -1) devclass_add_device() malloc's
a string assuming the unit count is 2 chars wide.  If we get a
unit >= 100, then we will overflow the buffer.  Probably we should
just malloc the nameunit buffer after we do the devclass_alloc_unit().

-- 

John Baldwin <jhb@xxxxxxxxxxx>  <><  http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve!"  -  http://www.FreeBSD.org/

To Unsubscribe: send mail to majordomo@xxxxxxxxxxx
with "unsubscribe freebsd-new-bus" in the body of the message

Prev by Date: Adding newbus abstraction to parallel port devices
Next by Date: Fixing ISA device probing
Previous by thread: Adding newbus abstraction to parallel port devices
Next by thread: Fixing ISA device probing
Index(es):
- Date
- Thread