Module Name: src
Committed By: christos
Date: Fri Jun 28 14:42:31 UTC 2013
Modified Files:
src/sys/arch/prep/prep: autoconf.c
Log Message:
undefined behavior, buffer overflow
http://m00nbsd.net/ae123a9bae03f7dde5c6d654412daf5a.html
To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 src/sys/arch/prep/prep/autoconf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/arch/prep/prep/autoconf.c
diff -u src/sys/arch/prep/prep/autoconf.c:1.25 src/sys/arch/prep/prep/autoconf.c:1.26
--- src/sys/arch/prep/prep/autoconf.c:1.25 Sun Jul 29 14:05:45 2012
+++ src/sys/arch/prep/prep/autoconf.c Fri Jun 28 10:42:31 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: autoconf.c,v 1.25 2012/07/29 18:05:45 mlelstv Exp $ */
+/* $NetBSD: autoconf.c,v 1.26 2013/06/28 14:42:31 christos Exp $ */
/*-
* Copyright (c) 2006 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: autoconf.c,v 1.25 2012/07/29 18:05:45 mlelstv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: autoconf.c,v 1.26 2013/06/28 14:42:31 christos Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -107,6 +107,7 @@ device_register(device_t dev, void *aux)
device_t parent;
char devpath[256];
prop_string_t str1;
+ int n;
/* Certain devices will *never* be bootable. short circuit them. */
@@ -144,17 +145,18 @@ device_register(device_t dev, void *aux)
}
parent = device_parent(dev);
+ n = 0;
if (device_is_a(dev, "pci")) {
if (device_is_a(parent, "ppb"))
- sprintf(devpath, "");
+ n = snprintf(devpath, sizeof(devpath), "");
else
- sprintf(devpath, "pci@%x",
+ n = snprintf(devpath, sizeof(devpath), "pci@%x",
prep_io_space_tag.pbs_offset);
}
if (device_is_a(parent, "pci")) {
struct pci_attach_args *pa = aux;
- sprintf(devpath, "pci%x,%x@%x,%x",
+ n = snprintf(devpath, sizeof(devpath), "pci%x,%x@%x,%x",
PCI_VENDOR(pa->pa_id), PCI_PRODUCT(pa->pa_id),
pa->pa_device, pa->pa_function);
}
@@ -162,42 +164,47 @@ device_register(device_t dev, void *aux)
struct pnpbus_dev_attach_args *pna = aux;
struct pnpbus_io *io;
- sprintf(devpath, "%s@", pna->pna_devid);
+ n = snprintf(devpath, sizeof(devpath), "%s@",
+ pna->pna_devid);
io = SIMPLEQ_FIRST(&pna->pna_res.io);
if (io != NULL)
- sprintf(devpath, "%s%x", devpath, io->minbase);
+ n += snprintf(devpath + n, sizeof(devpath) - n, "%x",
+ io->minbase);
}
/* we can't trust the device tag on the ethernet, because
* the spec lies about how it is formed. Therefore we will leave it
* blank, and trim the end off any ethernet stuff. */
if (device_class(dev) == DV_IFNET)
- sprintf(devpath, "%s:", devpath);
+ n += snprintf(devpath + n, sizeof(devpath) - n, ":");
else if (device_is_a(dev, "cd"))
- sprintf(devpath, "cdrom@");
+ n = snprintf(devpath, sizeof(devpath), "cdrom@");
else if (device_class(dev) == DV_DISK)
- sprintf(devpath, "harddisk@");
+ n = snprintf(devpath, sizeof(devpath), "harddisk@");
else if (device_class(dev) == DV_TAPE)
- sprintf(devpath, "tape@");
+ n = snprintf(devpath, sizeof(devpath), "tape@");
else if (device_is_a(dev, "fd"))
- sprintf(devpath, "floppy@");
+ n = snprintf(devpath, sizeof(devpath), "floppy@");
if (device_is_a(parent, "scsibus") || device_is_a(parent, "atapibus")) {
struct scsipibus_attach_args *sa = aux;
/* periph_target is target for scsi, drive # for atapi */
- sprintf(devpath, "%s%d", devpath, sa->sa_periph->periph_target);
+ n += snprintf(devpath + n, sizeof(devpath) - n, "%d",
+ sa->sa_periph->periph_target);
if (device_is_a(parent, "scsibus"))
- sprintf(devpath, "%s,%d", devpath,
+ n += snprintf(devpath + n, sizeof(devpath) - n, ",%d",
sa->sa_periph->periph_lun);
} else if (device_is_a(parent, "atabus") ||
device_is_a(parent, "pciide")) {
struct ata_device *adev = aux;
- sprintf(devpath, "%s%d", devpath, adev->adev_drv_data->drive);
+ n += snprintf(devpath + n, sizeof(devpath) - n, "%d",
+ adev->adev_drv_data->drive);
} else if (device_is_a(dev, "fd")) {
/* XXX device_unit() abuse */
- sprintf(devpath, "%s%d", devpath, device_unit(dev));
+ n += snprintf(devpath + n, sizeof(devpath) - n, "%d",
+ device_unit(dev));
}
str1 = prop_string_create_cstring(devpath);
