[src/trunk]: src/sys/arch/prep/prep undefined behavior, buffer overflow

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/f4ded7132592
branches:  trunk
changeset: 787685:f4ded7132592
user:      christos <christos%NetBSD.org@localhost>
date:      Fri Jun 28 14:42:31 2013 +0000

description:
undefined behavior, buffer overflow
http://m00nbsd.net/ae123a9bae03f7dde5c6d654412daf5a.html

diffstat:

 sys/arch/prep/prep/autoconf.c |  39 +++++++++++++++++++++++----------------
 1 files changed, 23 insertions(+), 16 deletions(-)

diffs (107 lines):

diff -r d6c8f079f15e -r f4ded7132592 sys/arch/prep/prep/autoconf.c
--- a/sys/arch/prep/prep/autoconf.c     Fri Jun 28 14:31:49 2013 +0000
+++ b/sys/arch/prep/prep/autoconf.c     Fri Jun 28 14:42:31 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: autoconf.c,v 1.25 2012/07/29 18:05:45 mlelstv Exp $    */
+/*     $NetBSD: autoconf.c,v 1.26 2013/06/28 14:42:31 christos Exp $   */
 
 /*-
  * Copyright (c) 2006 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: autoconf.c,v 1.25 2012/07/29 18:05:45 mlelstv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: autoconf.c,v 1.26 2013/06/28 14:42:31 christos Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -107,6 +107,7 @@
        device_t parent;
        char devpath[256];
        prop_string_t str1;
+       int n;
 
        /* Certain devices will *never* be bootable.  short circuit them. */
 
@@ -144,17 +145,18 @@
        }
        parent = device_parent(dev);
 
+       n = 0;
        if (device_is_a(dev, "pci")) {
                if (device_is_a(parent, "ppb"))
-                       sprintf(devpath, "");
+                       n = snprintf(devpath, sizeof(devpath), "");
                else
-                       sprintf(devpath, "pci@%x",
+                       n = snprintf(devpath, sizeof(devpath), "pci@%x",
                            prep_io_space_tag.pbs_offset);
        }
        if (device_is_a(parent, "pci")) {
                struct pci_attach_args *pa = aux;
 
-               sprintf(devpath, "pci%x,%x@%x,%x",
+               n = snprintf(devpath, sizeof(devpath), "pci%x,%x@%x,%x",
                    PCI_VENDOR(pa->pa_id), PCI_PRODUCT(pa->pa_id),
                    pa->pa_device, pa->pa_function);
        }
@@ -162,42 +164,47 @@
                struct pnpbus_dev_attach_args *pna = aux;
                struct pnpbus_io *io;
 
-               sprintf(devpath, "%s@", pna->pna_devid);
+               n = snprintf(devpath, sizeof(devpath), "%s@",
+                   pna->pna_devid);
                io = SIMPLEQ_FIRST(&pna->pna_res.io);
                if (io != NULL)
-                       sprintf(devpath, "%s%x", devpath, io->minbase);
+                       n += snprintf(devpath + n, sizeof(devpath) - n, "%x",
+                           io->minbase);
        }
 
        /* we can't trust the device tag on the ethernet, because
         * the spec lies about how it is formed.  Therefore we will leave it
         * blank, and trim the end off any ethernet stuff. */
        if (device_class(dev) == DV_IFNET)
-               sprintf(devpath, "%s:", devpath);
+               n += snprintf(devpath + n, sizeof(devpath) - n, ":");
        else if (device_is_a(dev, "cd"))
-               sprintf(devpath, "cdrom@");
+               n = snprintf(devpath, sizeof(devpath), "cdrom@");
        else if (device_class(dev) == DV_DISK)
-               sprintf(devpath, "harddisk@");
+               n = snprintf(devpath, sizeof(devpath), "harddisk@");
        else if (device_class(dev) == DV_TAPE)
-               sprintf(devpath, "tape@");
+               n = snprintf(devpath, sizeof(devpath), "tape@");
        else if (device_is_a(dev, "fd"))
-               sprintf(devpath, "floppy@");
+               n = snprintf(devpath, sizeof(devpath), "floppy@");
 
        if (device_is_a(parent, "scsibus") || device_is_a(parent, "atapibus")) {
                struct scsipibus_attach_args *sa = aux;
 
                /* periph_target is target for scsi, drive # for atapi */
-               sprintf(devpath, "%s%d", devpath, sa->sa_periph->periph_target);
+               n += snprintf(devpath + n, sizeof(devpath) - n, "%d",
+                   sa->sa_periph->periph_target);
                if (device_is_a(parent, "scsibus"))
-                       sprintf(devpath, "%s,%d", devpath,
+                       n += snprintf(devpath + n, sizeof(devpath) - n, ",%d",
                            sa->sa_periph->periph_lun);
        } else if (device_is_a(parent, "atabus") ||
            device_is_a(parent, "pciide")) {
                struct ata_device *adev = aux;
 
-               sprintf(devpath, "%s%d", devpath, adev->adev_drv_data->drive);
+               n += snprintf(devpath + n, sizeof(devpath) - n, "%d",
+                   adev->adev_drv_data->drive);
        } else if (device_is_a(dev, "fd")) {
                /* XXX device_unit() abuse */
-               sprintf(devpath, "%s%d", devpath, device_unit(dev));
+               n += snprintf(devpath + n, sizeof(devpath) - n, "%d",
+                   device_unit(dev));
        }
 
        str1 = prop_string_create_cstring(devpath);