Author: emaste
Date: Tue Jun 25 19:06:43 2019
New Revision: 349385
URL: https://svnweb.freebsd.org/changeset/base/349385
Log:
bhyve: avoid theoretical stack buffer overflow from integer overflow
Use the proper size_t type to match strlen's return type. This is not
exploitable in practice as this parses command line arguments, which
are limited to well below 2^31 bytes.
This is a minimal change to address the reported issue; hda_parse_config
and the rest of this file will benefit from further review.
Reported by: Fakhri Zulkifli
Reviewed by: jhb, markj
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Modified:
head/usr.sbin/bhyve/pci_hda.c
Modified: head/usr.sbin/bhyve/pci_hda.c
==============================================================================
--- head/usr.sbin/bhyve/pci_hda.c Tue Jun 25 18:58:51 2019
(r349384)
+++ head/usr.sbin/bhyve/pci_hda.c Tue Jun 25 19:06:43 2019
(r349385)
@@ -324,15 +324,14 @@ hda_parse_config(const char *opts, const char *key, ch
char buf[64];
char *s = buf;
char *tmp = NULL;
- int len;
+ size_t len;
int i;
if (!opts)
return (0);
len = strlen(opts);
-
- if (len >= 64) {
+ if (len >= sizeof(buf)) {
DPRINTF("Opts too big\n");
return (0);
}
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
