Author: emaste Date: Tue Jun 25 19:06:43 2019 New Revision: 349385 URL: https://svnweb.freebsd.org/changeset/base/349385
Log: bhyve: avoid theoretical stack buffer overflow from integer overflow Use the proper size_t type to match strlen's return type. This is not exploitable in practice as this parses command line arguments, which are limited to well below 2^31 bytes. This is a minimal change to address the reported issue; hda_parse_config and the rest of this file will benefit from further review. Reported by: Fakhri Zulkifli Reviewed by: jhb, markj MFC after: 3 days Sponsored by: The FreeBSD Foundation Modified: head/usr.sbin/bhyve/pci_hda.c Modified: head/usr.sbin/bhyve/pci_hda.c ============================================================================== --- head/usr.sbin/bhyve/pci_hda.c Tue Jun 25 18:58:51 2019 (r349384) +++ head/usr.sbin/bhyve/pci_hda.c Tue Jun 25 19:06:43 2019 (r349385) @@ -324,15 +324,14 @@ hda_parse_config(const char *opts, const char *key, ch char buf[64]; char *s = buf; char *tmp = NULL; - int len; + size_t len; int i; if (!opts) return (0); len = strlen(opts); - - if (len >= 64) { + if (len >= sizeof(buf)) { DPRINTF("Opts too big\n"); return (0); } _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"