CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/06/26 04:32:32
Modified files:
sys/dev/usb : ucom.c
Log message:
ucom: fix OOB write in sysctl_ucominit with no ucom devices
cd_ndevs==0 makes ucomslen 0, so malloc(0) returns unzeroed storage
(M_ZERO memsets osize==0 bytes). strlen(ucoms) then walks garbage and
ucoms[strlen-1]=0 stores out of bounds (KASAN: __asan_store1, hw.ucomnames).
Size the buffer for one extra slot so it is never zero-sized.
KASAN#2, with a murmur of agreement in the hackroom