Source-Changes-D archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
re: CVS commit: src/sys/dev/pci
> We currently have a few product names that exceed the old limit, and
> this is triggering an SSP check in pci_devinfo(). This commit doesn't
> directly address the SSP issue, but pushes the can down the road...
i think you're right that the 'cp' manipulation is the problem.
snprintf() will return the "desired" size, so upon the first
attempted overflow the 'cp' is moved beyond 'ep', and then the
next snprintf() gets a negative aka extremely massive value
for the buffer length and actual overflow happens here, and ssp
detects it.
the fix would be to change this:
cp += snprintf(cp, ep - cp, ...);
into this:
len = snprintf(cp, ep - cp, ...);
if (len > ep - cp)
return;
cp += len;
which is annoying because there are a lot of the former.
.mrg.
Home |
Main Index |
Thread Index |
Old Index