Fix a potential stack buffer overflow on systems whose ACPI OEMID

fills its field (6 characters). In that case the OEMID is not null-terminated, and the sprintf that was used would copy up to the next null byte, which could be pretty far away.
author: jdp <jdp@FreeBSD.org> 2004-05-14 01:29:21 +0000
committer: jdp <jdp@FreeBSD.org> 2004-05-14 01:29:21 +0000
commit: 49e7c87fded2320a906d60c882d3ada168a4326c (patch)
tree: 74e67d256ab5ee650533444f56004ab0d0344c49 /sys/boot
parent: 1a6a57d801c64658715940a7ea65bc80fdec4a8f (diff)
download: FreeBSD-src-49e7c87fded2320a906d60c882d3ada168a4326c.zip
FreeBSD-src-49e7c87fded2320a906d60c882d3ada168a4326c.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/boot/i386/libi386/biosacpi.c b/sys/boot/i386/libi386/biosacpi.c
index b4080bd..c8ee1c7 100644
--- a/sys/boot/i386/libi386/biosacpi.c
+++ b/sys/boot/i386/libi386/biosacpi.c
@@ -66,8 +66,8 @@ biosacpi_detect(void)
 	revision = 1;
     sprintf(buf, "%d", revision);
     setenv("hint.acpi.0.revision", buf, 1);
-    sprintf(buf, "%6s", rsdp->OemId);
-    buf[6] = '\0';
+    strncpy(buf, rsdp->OemId, sizeof(rsdp->OemId));
+    buf[sizeof(rsdp->OemId)] = '\0';
     setenv("hint.acpi.0.oem", buf, 1);
     sprintf(buf, "0x%08x", rsdp->RsdtPhysicalAddress);
     setenv("hint.acpi.0.rsdt", buf, 1);
author	jdp <jdp@FreeBSD.org>	2004-05-14 01:29:21 +0000
committer	jdp <jdp@FreeBSD.org>	2004-05-14 01:29:21 +0000
commit	49e7c87fded2320a906d60c882d3ada168a4326c (patch)
tree	74e67d256ab5ee650533444f56004ab0d0344c49 /sys/boot
parent	1a6a57d801c64658715940a7ea65bc80fdec4a8f (diff)
download	FreeBSD-src-49e7c87fded2320a906d60c882d3ada168a4326c.zip FreeBSD-src-49e7c87fded2320a906d60c882d3ada168a4326c.tar.gz