Set pca.p_bufr to NULL when we haven't allocated a buffer.

Otherwise, p_bufr is set to garbage on the stack, and if that garbage
happens to be non-NULL, and the TOLOG or TOCONS flag is set, putbuf()
will get called and attempt to fill the non-existent buffer.

This is really only relevant for tprintf() (and only when the priority is
not -1), but set it in uprintf() and ttyprintf() for completeness.

The next step, to avoid log buffer scrambling, would be to add the
PRINTF_BUFR_SIZE code to tprintf(), but this should prevent panics.

Submitted by:	rmacklem
Found by:	pho

1 files changed, 3 insertions, 0 deletions

diff --git a/sys/kern/subr_prf.c b/sys/kern/subr_prf.c
index 3334837..48f2dd9 100644
--- a/sys/kern/subr_prf.c
+++ b/sys/kern/subr_prf.c
@@ -163,6 +163,7 @@ uprintf(const char *fmt, ...)
 		goto out;
 	}
 	pca.flags = TOTTY;
+	pca.p_bufr = NULL;
 	va_start(ap, fmt);
 	tty_lock(pca.tty);
 	retval = kvprintf(fmt, putchar, &pca, 10, ap);
@@ -206,6 +207,7 @@ tprintf(struct proc *p, int pri, const char *fmt, ...)
 	pca.pri = pri;
 	pca.tty = tp;
 	pca.flags = flags;
+	pca.p_bufr = NULL;
 	va_start(ap, fmt);
 	if (pca.tty != NULL)
 		tty_lock(pca.tty);
@@ -234,6 +236,7 @@ ttyprintf(struct tty *tp, const char *fmt, ...)
 	va_start(ap, fmt);
 	pca.tty = tp;
 	pca.flags = TOTTY;
+	pca.p_bufr = NULL;
 	retval = kvprintf(fmt, putchar, &pca, 10, ap);
 	va_end(ap);
 	return (retval);