If we ignore an unknown % sequence, we must stop interpreting the

remaining % arguments because the varargs are now out of sync and
there is a risk that we might for instance dereference an integer
in a %s argument.

Sponsored by: Napatech.com

1 files changed, 9 insertions, 2 deletions

diff --git a/sys/kern/subr_prf.c b/sys/kern/subr_prf.c
index 4a133b5..6fa556e 100644
--- a/sys/kern/subr_prf.c
+++ b/sys/kern/subr_prf.c
@@ -500,7 +500,7 @@ kvprintf(char const *fmt, void (*func)(int, void*), void *arg, int radix, va_lis
 	int cflag, hflag, jflag, tflag, zflag;
 	int dwidth;
 	char padc;
-	int retval = 0;
+	int stop = 0, retval = 0;
 
 	num = 0;
 	if (!func)
@@ -517,7 +517,7 @@ kvprintf(char const *fmt, void (*func)(int, void*), void *arg, int radix, va_lis
 	for (;;) {
 		padc = ' ';
 		width = 0;
-		while ((ch = (u_char)*fmt++) != '%') {
+		while ((ch = (u_char)*fmt++) != '%' || stop) {
 			if (ch == '\0')
 				return (retval);
 			PCHAR(ch);
@@ -780,6 +780,13 @@ number:
 		default:
 			while (percent < fmt)
 				PCHAR(*percent++);
+			/*
+			 * Since we ignore an formatting argument it is no 
+			 * longer safe to obey the remaining formatting
+			 * arguments as the arguments will no longer match
+			 * the format specs.
+			 */
+			stop = 1;
 			break;
 		}
 	}