diff options
author | Peter Wemm <peter@FreeBSD.org> | 2000-07-14 00:29:00 +0000 |
---|---|---|
committer | Peter Wemm <peter@FreeBSD.org> | 2000-07-14 00:29:00 +0000 |
commit | 05f560ae5999d958a823ec293eb19120f9cfccc7 (patch) | |
tree | 2897348e49df554e34d18e29fabfd4fa8d73045a | |
parent | 1994f5c7aadb7dc3c2b9f2c06c387cb0f838d2b3 (diff) | |
download | src-05f560ae5999d958a823ec293eb19120f9cfccc7.tar.gz src-05f560ae5999d958a823ec293eb19120f9cfccc7.zip |
Correct an additional off-by-one bug and buffer overflow. A malloc()
was being made one byte too short, and the string assembled in it was not
null terminated. The string was passed to regcomp() so it never matched
anything in /etc/usbd.conf. This is the cause of usbd not working for the
last few days.. The new malloc.conf default of AJ triggered this.
Notes
Notes:
svn path=/head/; revision=63096
-rw-r--r-- | usr.sbin/usbd/usbd.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/usr.sbin/usbd/usbd.c b/usr.sbin/usbd/usbd.c index 4252e0f01054..11139c104e1b 100644 --- a/usr.sbin/usbd/usbd.c +++ b/usr.sbin/usbd/usbd.c @@ -379,13 +379,14 @@ set_devname_field(action_t *action, char *args, char **trail) return(0); len = strlen(action->devname); - string = malloc(len + 14); + string = malloc(len + 15); if (string == NULL) return(0); bcopy(action->devname, string+7, len); /* make some space for */ bcopy("[[:<:]]", string, 7); /* beginning of word */ - bcopy("[[:>:]]", string+7+len, 7); /* and end of word */ + bcopy("[[:>:]]", string+7+len, 8); /* and end of word */ + string[len + 14] = '\0'; error = regcomp(&action->devname_regex, string, REG_NOSUB|REG_EXTENDED); if (error) { |