aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Wemm <peter@FreeBSD.org>2000-07-14 00:29:00 +0000
committerPeter Wemm <peter@FreeBSD.org>2000-07-14 00:29:00 +0000
commit05f560ae5999d958a823ec293eb19120f9cfccc7 (patch)
tree2897348e49df554e34d18e29fabfd4fa8d73045a
parent1994f5c7aadb7dc3c2b9f2c06c387cb0f838d2b3 (diff)
downloadsrc-05f560ae5999d958a823ec293eb19120f9cfccc7.tar.gz
src-05f560ae5999d958a823ec293eb19120f9cfccc7.zip
Correct an additional off-by-one bug and buffer overflow. A malloc()
was being made one byte too short, and the string assembled in it was not null terminated. The string was passed to regcomp() so it never matched anything in /etc/usbd.conf. This is the cause of usbd not working for the last few days.. The new malloc.conf default of AJ triggered this.
Notes
Notes: svn path=/head/; revision=63096
-rw-r--r--usr.sbin/usbd/usbd.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/usr.sbin/usbd/usbd.c b/usr.sbin/usbd/usbd.c
index 4252e0f01054..11139c104e1b 100644
--- a/usr.sbin/usbd/usbd.c
+++ b/usr.sbin/usbd/usbd.c
@@ -379,13 +379,14 @@ set_devname_field(action_t *action, char *args, char **trail)
return(0);
len = strlen(action->devname);
- string = malloc(len + 14);
+ string = malloc(len + 15);
if (string == NULL)
return(0);
bcopy(action->devname, string+7, len); /* make some space for */
bcopy("[[:<:]]", string, 7); /* beginning of word */
- bcopy("[[:>:]]", string+7+len, 7); /* and end of word */
+ bcopy("[[:>:]]", string+7+len, 8); /* and end of word */
+ string[len + 14] = '\0';
error = regcomp(&action->devname_regex, string, REG_NOSUB|REG_EXTENDED);
if (error) {