Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/arch correct/add protection against snprintf overflow.



details:   https://anonhg.NetBSD.org/src/rev/f647ff9d92a4
branches:  trunk
changeset: 794875:f647ff9d92a4
user:      christos <christos%NetBSD.org@localhost>
date:      Thu Mar 27 18:22:56 2014 +0000

description:
correct/add protection against snprintf overflow.

diffstat:

 sys/arch/dreamcast/dev/maple/maple.c        |   8 +++++---
 sys/arch/ia64/disasm/disasm_format.c        |  10 ++++++++--
 sys/arch/ia64/stand/efi/libefi/devicename.c |  24 ++++++++++++++++--------
 sys/arch/ia64/stand/ia64/ski/devicename.c   |  28 ++++++++++++++++++----------
 sys/arch/next68k/dev/esp.c                  |  28 ++++++++++++++++++++++++++--
 sys/arch/prep/prep/autoconf.c               |  16 ++++++++++++++--
 sys/arch/prep/prep/residual.c               |   6 ++++--
 sys/arch/sparc/sparc/cpu.c                  |  11 ++++++-----
 sys/arch/x86/acpi/acpi_cpu_md.c             |   6 ++++--
 sys/arch/x86/x86/est.c                      |   6 ++++--
 sys/arch/x86/x86/odcm.c                     |   6 ++++--
 sys/arch/x86/x86/procfs_machdep.c           |  20 ++++++++++----------
 sys/arch/xen/xen/pciback.c                  |  20 ++++++++++++++------
 sys/arch/xen/xenbus/xenbus_client.c         |   6 +++---
 14 files changed, 136 insertions(+), 59 deletions(-)

diffs (truncated from 623 to 300 lines):

diff -r e68b1ce23da3 -r f647ff9d92a4 sys/arch/dreamcast/dev/maple/maple.c
--- a/sys/arch/dreamcast/dev/maple/maple.c      Thu Mar 27 17:31:56 2014 +0000
+++ b/sys/arch/dreamcast/dev/maple/maple.c      Thu Mar 27 18:22:56 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: maple.c,v 1.49 2014/03/26 16:08:45 christos Exp $      */
+/*     $NetBSD: maple.c,v 1.50 2014/03/27 18:22:56 christos Exp $      */
 
 /*-
  * Copyright (c) 2002 The NetBSD Foundation, Inc.
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: maple.c,v 1.49 2014/03/26 16:08:45 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: maple.c,v 1.50 2014/03/27 18:22:56 christos Exp $");
 
 #include <sys/param.h>
 #include <sys/device.h>
@@ -353,7 +353,9 @@
 static char *
 maple_unit_name(char *buf, size_t len, int port, int subunit)
 {
-       int l = snprintf(buf, len, "maple%c", port + 'A');
+       size_t l = snprintf(buf, len, "maple%c", port + 'A');
+       if (l > len)
+               l = len;
        if (subunit)
                snprintf(buf + l, len - l, "%d", subunit);
 
diff -r e68b1ce23da3 -r f647ff9d92a4 sys/arch/ia64/disasm/disasm_format.c
--- a/sys/arch/ia64/disasm/disasm_format.c      Thu Mar 27 17:31:56 2014 +0000
+++ b/sys/arch/ia64/disasm/disasm_format.c      Thu Mar 27 18:22:56 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: disasm_format.c,v 1.2 2014/03/25 18:35:32 christos Exp $       */
+/*     $NetBSD: disasm_format.c,v 1.3 2014/03/27 18:22:56 christos Exp $       */
 
 /*-
  * Copyright (c) 2000-2003 Marcel Moolenaar
@@ -277,6 +277,8 @@
        }
        if (n[0] != '\0') {
                l = snprintf(buf, buflen, "%s[", n);
+               if (l > buflen)
+                       l = buflen;
                buf += l;
                buflen -= l;
        }
@@ -284,7 +286,11 @@
        case 1: l = strlcpy(buf, "gp", buflen); break;
        case 12: l = strlcpy(buf, "sp", buflen); break;
        case 13: l = strlcpy(buf, "tp", buflen); break;
-       default: l += snprintf(buf, buflen, "r%d", (int)o->o_value); break;
+       default:
+           l += snprintf(buf, buflen, "r%d", (int)o->o_value);
+           if (l > buflen)
+               l = buflen;
+           break;
        }
        buf += l;
        buflen -= l;
diff -r e68b1ce23da3 -r f647ff9d92a4 sys/arch/ia64/stand/efi/libefi/devicename.c
--- a/sys/arch/ia64/stand/efi/libefi/devicename.c       Thu Mar 27 17:31:56 2014 +0000
+++ b/sys/arch/ia64/stand/efi/libefi/devicename.c       Thu Mar 27 18:22:56 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: devicename.c,v 1.6 2014/03/25 18:35:33 christos Exp $  */
+/*     $NetBSD: devicename.c,v 1.7 2014/03/27 18:22:56 christos Exp $  */
 
 /*-
  * Copyright (c) 1998 Michael Smith <msmith%freebsd.org@localhost>
@@ -208,7 +208,7 @@
 {
        struct efi_devdesc *dev = (struct efi_devdesc *)vdev;
        static char     buf[128];       /* XXX device length constant? */
-       size_t          len;
+       size_t          len, buflen = sizeof(buf);
     
        switch(dev->d_type) {
        case DEVT_NONE:
@@ -216,16 +216,24 @@
                break;
 
        case DEVT_DISK:
-               len = snprintf(buf, sizeof(buf), "%s%d", dev->d_dev->dv_name, dev->d_kind.efidisk.unit);
-               if (dev->d_kind.efidisk.slice > 0)
-                       len += snprintf(buf + len, sizeof(buf) - len, "s%d", dev->d_kind.efidisk.slice);
-               if (dev->d_kind.efidisk.partition >= 0)
-                       len += snprintf(buf + len, sizeof(buf) - len, "%c", dev->d_kind.efidisk.partition + 'a');
+               len = snprintf(buf, buflen, "%s%d", dev->d_dev->dv_name, dev->d_kind.efidisk.unit);
+               if (len > buflen)
+                       len = buflen;
+               if (dev->d_kind.efidisk.slice > 0) {
+                       len += snprintf(buf + len, buflen - len, "s%d", dev->d_kind.efidisk.slice);
+                       if (len > buflen)
+                               len = buflen;
+               }
+               if (dev->d_kind.efidisk.partition >= 0) {
+                       len += snprintf(buf + len, buflen - len, "%c", dev->d_kind.efidisk.partition + 'a');
+                       if (len > buflen)
+               }
+                               len = buflen;
                strlcat(buf, ":", sizeof(buf) - len);
                break;
 
        case DEVT_NET:
-               snprintf(buf, sizeof(buf), "%s%d:", dev->d_dev->dv_name, dev->d_kind.netif.unit);
+               snprintf(buf, buflen, "%s%d:", dev->d_dev->dv_name, dev->d_kind.netif.unit);
                break;
        }
        return(buf);
diff -r e68b1ce23da3 -r f647ff9d92a4 sys/arch/ia64/stand/ia64/ski/devicename.c
--- a/sys/arch/ia64/stand/ia64/ski/devicename.c Thu Mar 27 17:31:56 2014 +0000
+++ b/sys/arch/ia64/stand/ia64/ski/devicename.c Thu Mar 27 18:22:56 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: devicename.c,v 1.5 2014/03/25 18:35:33 christos Exp $  */
+/*     $NetBSD: devicename.c,v 1.6 2014/03/27 18:22:56 christos Exp $  */
 
 /*-
  * Copyright (c) 1998 Michael Smith <msmith%freebsd.org@localhost>
@@ -203,24 +203,32 @@
 {
        struct ski_devdesc *dev = (struct ski_devdesc *)vdev;
        static char     buf[128];       /* XXX device length constant? */
-       size_t len;
+       size_t len, buflen = sizeof(buf);
     
        switch(dev->d_type) {
        case DEVT_NONE:
-               strcpy(buf, "(no device)");
+               strlcpy(buf, "(no device)", buflen);
                break;
 
        case DEVT_DISK:
-               len = snprintf(buf, sizeof(buf), "%s%d", dev->d_dev->dv_name, dev->d_kind.skidisk.unit);
-               if (dev->d_kind.skidisk.slice > 0)
-                       len = snprintf(buf, sizeof(buf) - len, "s%d", dev->d_kind.skidisk.slice);
-               if (dev->d_kind.skidisk.partition >= 0)
-                       len = snprintf(buf, sizeof(buf) - len, "%c", dev->d_kind.skidisk.partition + 'a');
-               strlcat(cp, ":", sizeof(buf) - len);
+               len = snprintf(buf, buflen, "%s%d", dev->d_dev->dv_name, dev->d_kind.skidisk.unit);
+               if (len > buflen)
+                       len = buflen;
+               if (dev->d_kind.skidisk.slice > 0) {
+                       len += snprintf(buf + len, buflen - len, "s%d", dev->d_kind.skidisk.slice);
+                       if (len > buflen)
+                               len = buflen;
+               }
+               if (dev->d_kind.skidisk.partition >= 0) {
+                       len += snprintf(buf + len, buflen - len, "%c", dev->d_kind.skidisk.partition + 'a');
+                       if (len > buflen)
+                               len = buflen;
+               }
+               strlcat(cp, ":", buflen - len);
                break;
 
        case DEVT_NET:
-               snprintf(buf, sizeof(buf) - len, "%s%d:", dev->d_dev->dv_name, dev->d_kind.netif.unit);
+               snprintf(buf, buflen - len, "%s%d:", dev->d_dev->dv_name, dev->d_kind.netif.unit);
                break;
        }
        return(buf);
diff -r e68b1ce23da3 -r f647ff9d92a4 sys/arch/next68k/dev/esp.c
--- a/sys/arch/next68k/dev/esp.c        Thu Mar 27 17:31:56 2014 +0000
+++ b/sys/arch/next68k/dev/esp.c        Thu Mar 27 18:22:56 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: esp.c,v 1.61 2014/03/25 19:41:32 christos Exp $        */
+/*     $NetBSD: esp.c,v 1.62 2014/03/27 18:22:56 christos Exp $        */
 
 /*-
  * Copyright (c) 1997, 1998 The NetBSD Foundation, Inc.
@@ -75,7 +75,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: esp.c,v 1.61 2014/03/25 19:41:32 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: esp.c,v 1.62 2014/03/27 18:22:56 christos Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -1155,8 +1155,12 @@
        
        l += snprintf(p + l, len - l, "%s: sc_datain=%d\n",
            device_xname(sc->sc_dev), esc->sc_datain);
+       if (l > len)
+               return;
        l += snprintf(p + l, len - l, "%s: sc_loaded=0x%08x\n",
            device_xname(sc->sc_dev), esc->sc_loaded);
+       if (l > len)
+               return;
 
        if (esc->sc_dmaaddr) {
                l += snprintf(p + l, len - l, "%s: sc_dmaaddr=%p\n",
@@ -1165,6 +1169,8 @@
                l += snprintf(p + l, len - l, "%s: sc_dmaaddr=NULL\n",
                    device_xname(sc->sc_dev));
        }
+       if (l > len)
+               return;
        if (esc->sc_dmalen) {
                l += snprintf(p + l, len - l, "%s: sc_dmalen=0x%08x\n", 
                    device_xname(sc->sc_dev), *esc->sc_dmalen);
@@ -1172,19 +1178,29 @@
                l += snprintf(p + l, len - l, "%s: sc_dmalen=NULL\n",
                    device_xname(sc->sc_dev));
        }
+       if (l > len)
+               return;
        l += snprintf(p + l, len - l, "%s: sc_dmasize=0x%08x\n",
            device_xname(sc->sc_dev), esc->sc_dmasize);
+       if (l > len)
+               return;
 
        l += snprintf(p + l, len - l, "%s: sc_begin = %p, sc_begin_size = 0x%08x\n",
+       if (l > len)
+               return;
            device_xname(sc->sc_dev), esc->sc_begin, esc->sc_begin_size);
        l += snprintf(p + l, len - l, "%s: sc_main = %p, sc_main_size = 0x%08x\n",
            device_xname(sc->sc_dev), esc->sc_main, esc->sc_main_size);
+       if (l > len)
+               return;
        /* if (esc->sc_main) */ {
                int i;
                bus_dmamap_t map = esc->sc_main_dmamap;
                l += snprintf(p + l, len - l, "%s: sc_main_dmamap."
                    " mapsize = 0x%08lx, nsegs = %d\n",
                    device_xname(sc->sc_dev), map->dm_mapsize, map->dm_nsegs);
+               if (l > len)
+                       return;
                for(i = 0; i < map->dm_nsegs; i++) {
                        l += snprintf(p + l, len - l, "%s:"
                            " map->dm_segs[%d].ds_addr = 0x%08lx,"
@@ -1192,16 +1208,22 @@
                            device_xname(sc->sc_dev),
                            i, map->dm_segs[i].ds_addr,
                            map->dm_segs[i].ds_len);
+                           if (l > len)
+                                   return;
                }
        }
        l += snprintf(p + l, len - l, "%s: sc_tail = %p, sc_tail_size = 0x%08x\n",
            device_xname(sc->sc_dev), esc->sc_tail, esc->sc_tail_size);
+       if (l > len)
+               return;
        /* if (esc->sc_tail) */ {
                int i;
                bus_dmamap_t map = esc->sc_tail_dmamap;
                l += snprintf(p + l, len - l, "%s: sc_tail_dmamap."
                    " mapsize = 0x%08lx, nsegs = %d\n",
                    device_xname(sc->sc_dev), map->dm_mapsize, map->dm_nsegs);
+               if (l > len)
+                       return;
                for (i = 0; i < map->dm_nsegs; i++) {
                        l += snprintf(p + l, len - l, "%s:"
                            " map->dm_segs[%d].ds_addr = 0x%08lx,"
@@ -1209,6 +1231,8 @@
                            device_xname(sc->sc_dev),
                            i, map->dm_segs[i].ds_addr,
                             map->dm_segs[i].ds_len);
+                       if (l > len)
+                               return;
                }
        }
 }
diff -r e68b1ce23da3 -r f647ff9d92a4 sys/arch/prep/prep/autoconf.c
--- a/sys/arch/prep/prep/autoconf.c     Thu Mar 27 17:31:56 2014 +0000
+++ b/sys/arch/prep/prep/autoconf.c     Thu Mar 27 18:22:56 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: autoconf.c,v 1.26 2013/06/28 14:42:31 christos Exp $   */
+/*     $NetBSD: autoconf.c,v 1.27 2014/03/27 18:22:56 christos Exp $   */
 
 /*-
  * Copyright (c) 2006 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: autoconf.c,v 1.26 2013/06/28 14:42:31 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: autoconf.c,v 1.27 2014/03/27 18:22:56 christos Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -167,11 +167,15 @@
                n = snprintf(devpath, sizeof(devpath), "%s@",
                    pna->pna_devid);
                io = SIMPLEQ_FIRST(&pna->pna_res.io);
+               if (n > sizeof(devpath))
+                       n = sizeof(devpath);
                if (io != NULL)
                        n += snprintf(devpath + n, sizeof(devpath) - n, "%x",
                            io->minbase);
        }
 
+       if (n > sizeof(devpath))
+               n = sizeof(devpath);
        /* we can't trust the device tag on the ethernet, because
         * the spec lies about how it is formed.  Therefore we will leave it
         * blank, and trim the end off any ethernet stuff. */
@@ -190,8 +194,12 @@
                struct scsipibus_attach_args *sa = aux;
 
                /* periph_target is target for scsi, drive # for atapi */



Home | Main Index | Thread Index | Old Index