diff options
author | jdp <jdp@FreeBSD.org> | 2004-05-14 01:29:21 +0000 |
---|---|---|
committer | jdp <jdp@FreeBSD.org> | 2004-05-14 01:29:21 +0000 |
commit | 49e7c87fded2320a906d60c882d3ada168a4326c (patch) | |
tree | 74e67d256ab5ee650533444f56004ab0d0344c49 | |
parent | 1a6a57d801c64658715940a7ea65bc80fdec4a8f (diff) | |
download | FreeBSD-src-49e7c87fded2320a906d60c882d3ada168a4326c.zip FreeBSD-src-49e7c87fded2320a906d60c882d3ada168a4326c.tar.gz |
Fix a potential stack buffer overflow on systems whose ACPI OEMID
fills its field (6 characters). In that case the OEMID is not
null-terminated, and the sprintf that was used would copy up to the
next null byte, which could be pretty far away.
-rw-r--r-- | sys/boot/i386/libi386/biosacpi.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/boot/i386/libi386/biosacpi.c b/sys/boot/i386/libi386/biosacpi.c index b4080bd..c8ee1c7 100644 --- a/sys/boot/i386/libi386/biosacpi.c +++ b/sys/boot/i386/libi386/biosacpi.c @@ -66,8 +66,8 @@ biosacpi_detect(void) revision = 1; sprintf(buf, "%d", revision); setenv("hint.acpi.0.revision", buf, 1); - sprintf(buf, "%6s", rsdp->OemId); - buf[6] = '\0'; + strncpy(buf, rsdp->OemId, sizeof(rsdp->OemId)); + buf[sizeof(rsdp->OemId)] = '\0'; setenv("hint.acpi.0.oem", buf, 1); sprintf(buf, "0x%08x", rsdp->RsdtPhysicalAddress); setenv("hint.acpi.0.rsdt", buf, 1); |