[src/netbsd-7]: src/sys/dev/pci Pull up following revision(s) (requested by p...

[snj <snj%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/1bae8774d203
branches:  netbsd-7
changeset: 800037:1bae8774d203
user:      snj <snj%NetBSD.org@localhost>
date:      Fri Dec 09 04:56:25 2016 +0000

description:
Pull up following revision(s) (requested by pgoyette in ticket #1296):
        sys/dev/pci/pci_subr.c: revision 1.155 via patch
Protect against buffer overflow.

diffstat:

 sys/dev/pci/pci_subr.c |  73 +++++++++++++++++++++++++++++++++++--------------
 1 files changed, 52 insertions(+), 21 deletions(-)

diffs (132 lines):

diff -r 667ac2fedca7 -r 1bae8774d203 sys/dev/pci/pci_subr.c
--- a/sys/dev/pci/pci_subr.c    Fri Dec 09 04:48:44 2016 +0000
+++ b/sys/dev/pci/pci_subr.c    Fri Dec 09 04:56:25 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: pci_subr.c,v 1.124.2.2 2014/12/14 16:49:35 martin Exp $        */
+/*     $NetBSD: pci_subr.c,v 1.124.2.3 2016/12/09 04:56:25 snj Exp $   */
 
 /*
  * Copyright (c) 1997 Zubin D. Dittia.  All rights reserved.
@@ -40,7 +40,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: pci_subr.c,v 1.124.2.2 2014/12/14 16:49:35 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pci_subr.c,v 1.124.2.3 2016/12/09 04:56:25 snj Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_pci.h"
@@ -54,6 +54,7 @@
 #include <sys/module.h>
 #else
 #include <pci.h>
+#include <stdarg.h>
 #include <stdbool.h>
 #include <stdio.h>
 #include <string.h>
@@ -618,6 +619,43 @@
 }
 #endif
 
+/*
+ * Append a formatted string to dest without writing more than len
+ * characters (including the trailing NUL character).  dest and len
+ * are updated for use in subsequent calls to snappendf().
+ *
+ * Returns 0 on success, a negative value if vnsprintf() fails, or
+ * a positive value if the dest buffer would have overflowed.
+ */
+
+static int __printflike(3,4)
+snappendf(char **dest, size_t *len, const char * restrict fmt, ...)
+{
+       va_list ap;
+       int count;
+
+       va_start(ap, fmt);
+       count = vsnprintf(*dest, *len, fmt, ap);
+       va_end(ap);
+
+       /* Let vsnprintf() errors bubble up to caller */
+       if (count < 0 || *len == 0)
+               return count;
+
+       /* Handle overflow */
+       if ((size_t)count >= *len) {
+               *dest += *len - 1;
+               *len = 1;
+               return 1;
+       }
+
+       /* Update dest & len to point at trailing NUL */
+       *dest += count;
+       *len -= count;
+               
+       return 0;
+}
+
 void
 pci_devinfo(pcireg_t id_reg, pcireg_t class_reg, int showclass, char *cp,
     size_t l)
@@ -631,9 +669,6 @@
        const char *unmatched = pci_unmatched;
        const char *vendor_namep, *product_namep;
        const struct pci_class *classp, *subclassp, *interfacep;
-       char *ep;
-
-       ep = cp + l;
 
        vendor = PCI_VENDOR(id_reg);
        product = PCI_PRODUCT(id_reg);
@@ -669,39 +704,35 @@
        }
 
        if (vendor_namep == NULL)
-               cp += snprintf(cp, ep - cp, "%svendor 0x%04x product 0x%04x",
+               (void)snappendf(&cp, &l, "%svendor 0x%04x product 0x%04x",
                    unmatched, vendor, product);
        else if (product_namep != NULL)
-               cp += snprintf(cp, ep - cp, "%s %s", vendor_namep,
-                   product_namep);
+               (void)snappendf(&cp, &l, "%s %s", vendor_namep, product_namep);
        else
-               cp += snprintf(cp, ep - cp, "%s product 0x%04x",
+               (void)snappendf(&cp, &l, "%s product 0x%04x",
                    vendor_namep, product);
        if (showclass) {
-               cp += snprintf(cp, ep - cp, " (");
+               (void)snappendf(&cp, &l, " (");
                if (classp->name == NULL)
-                       cp += snprintf(cp, ep - cp,
+                       (void)snappendf(&cp, &l,
                            "class 0x%02x, subclass 0x%02x", class, subclass);
                else {
                        if (subclassp == NULL || subclassp->name == NULL)
-                               cp += snprintf(cp, ep - cp,
-                                   "%s, subclass 0x%02x",
+                               (void)snappendf(&cp, &l, "%s, subclass 0x%02x",
                                    classp->name, subclass);
                        else
-                               cp += snprintf(cp, ep - cp, "%s %s",
+                               (void)snappendf(&cp, &l, "%s %s",
                                    subclassp->name, classp->name);
                }
                if ((interfacep == NULL) || (interfacep->name == NULL)) {
                        if (interface != 0)
-                               cp += snprintf(cp, ep - cp,
-                                   ", interface 0x%02x", interface);
+                               (void)snappendf(&cp, &l, ", interface 0x%02x",
+                                   interface);
                } else if (strncmp(interfacep->name, "", 1) != 0)
-                       cp += snprintf(cp, ep - cp, ", %s",
-                           interfacep->name);
+                       (void)snappendf(&cp, &l, ", %s", interfacep->name);
                if (revision != 0)
-                       cp += snprintf(cp, ep - cp, ", revision 0x%02x",
-                           revision);
-               cp += snprintf(cp, ep - cp, ")");
+                       (void)snappendf(&cp, &l, ", revision 0x%02x", revision);
+               (void)snappendf(&cp, &l, ")");
        }
 }