Author: emaste
Date: Tue Jun 25 19:06:43 2019
New Revision: 349385
URL: https://svnweb.freebsd.org/changeset/base/349385

Log:
  bhyve: avoid theoretical stack buffer overflow from integer overflow
  
  Use the proper size_t type to match strlen's return type.  This is not
  exploitable in practice as this parses command line arguments, which
  are limited to well below 2^31 bytes.
  
  This is a minimal change to address the reported issue; hda_parse_config
  and the rest of this file will benefit from further review.
  
  Reported by:  Fakhri Zulkifli
  Reviewed by:  jhb, markj
  MFC after:    3 days
  Sponsored by: The FreeBSD Foundation

Modified:
  head/usr.sbin/bhyve/pci_hda.c

Modified: head/usr.sbin/bhyve/pci_hda.c
==============================================================================
--- head/usr.sbin/bhyve/pci_hda.c       Tue Jun 25 18:58:51 2019        
(r349384)
+++ head/usr.sbin/bhyve/pci_hda.c       Tue Jun 25 19:06:43 2019        
(r349385)
@@ -324,15 +324,14 @@ hda_parse_config(const char *opts, const char *key, ch
        char buf[64];
        char *s = buf;
        char *tmp = NULL;
-       int len;
+       size_t len;
        int i;
 
        if (!opts)
                return (0);
 
        len = strlen(opts);
-
-       if (len >= 64) {
+       if (len >= sizeof(buf)) {
                DPRINTF("Opts too big\n");
                return (0);
        }
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to