Subject: bin/10035: Kdump dumps core if read buffer is long
To: None <gnats-bugs@gnats.netbsd.org>
From: None <kivinen@ssh.fi>
List: netbsd-bugs
Date: 05/01/2000 17:58:13
>Number: 10035
>Category: bin
>Synopsis: kdump dumps core
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon May 01 17:59:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Tero Kivinen
>Release: NetBSD current 2000-04-20
>Organization:
SSH Communications Security
>Environment:
System: NetBSD kahva.ssh.fi 1.4X NetBSD 1.4X (KAHVA) #0: Thu Apr 27 09:28:18 EEST 2000 ztk@kahva.ssh.fi:/usr/src/sys/arch/i386/compile/KAHVA i386
>Description:
Kdump dumps core on line kdump.c:473, because the *(dp+1) is out
of bounds for the last character in the buffer.
>How-To-Repeat:
Fetch vuescan (http://www.hamrick.com/) and run it under ktrace
(ktrace ./vuescan). Then exit and run kdump, it will dump core.
>Fix:
Here is a diff:
----------------------------------------------------------------------
*** kdump.c.orig Tue May 2 06:50:17 2000
--- kdump.c Tue May 2 06:50:52 2000
***************
*** 470,475 ****
--- 470,478 ----
(void)printf(" \"");
col = 8;
for (; datalen > 0; datalen--, dp++) {
+ if (datalen == 1)
+ (void) vis(visbuf, *dp, VIS_CSTYLE, 0);
+ else
(void) vis(visbuf, *dp, VIS_CSTYLE, *(dp+1));
cp = visbuf;
/*
>Release-Note:
>Audit-Trail:
>Unformatted: