diff options
author | ken <ken@FreeBSD.org> | 2011-06-07 05:04:37 +0000 |
---|---|---|
committer | ken <ken@FreeBSD.org> | 2011-06-07 05:04:37 +0000 |
commit | 048adb69c7c57c1cc5c423e5118cbc3e1176c3e7 (patch) | |
tree | 2dce1497dda325a64a355b6ba662229ee5875330 /sys/kern | |
parent | e58c149ca2067cb8717e0849b2b37e4791eedb89 (diff) | |
download | FreeBSD-src-048adb69c7c57c1cc5c423e5118cbc3e1176c3e7.zip FreeBSD-src-048adb69c7c57c1cc5c423e5118cbc3e1176c3e7.tar.gz |
Set pca.p_bufr to NULL when we haven't allocated a buffer.
Otherwise, p_bufr is set to garbage on the stack, and if that garbage
happens to be non-NULL, and the TOLOG or TOCONS flag is set, putbuf()
will get called and attempt to fill the non-existent buffer.
This is really only relevant for tprintf() (and only when the priority is
not -1), but set it in uprintf() and ttyprintf() for completeness.
The next step, to avoid log buffer scrambling, would be to add the
PRINTF_BUFR_SIZE code to tprintf(), but this should prevent panics.
Submitted by: rmacklem
Found by: pho
Diffstat (limited to 'sys/kern')
-rw-r--r-- | sys/kern/subr_prf.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/sys/kern/subr_prf.c b/sys/kern/subr_prf.c index 3334837..48f2dd9 100644 --- a/sys/kern/subr_prf.c +++ b/sys/kern/subr_prf.c @@ -163,6 +163,7 @@ uprintf(const char *fmt, ...) goto out; } pca.flags = TOTTY; + pca.p_bufr = NULL; va_start(ap, fmt); tty_lock(pca.tty); retval = kvprintf(fmt, putchar, &pca, 10, ap); @@ -206,6 +207,7 @@ tprintf(struct proc *p, int pri, const char *fmt, ...) pca.pri = pri; pca.tty = tp; pca.flags = flags; + pca.p_bufr = NULL; va_start(ap, fmt); if (pca.tty != NULL) tty_lock(pca.tty); @@ -234,6 +236,7 @@ ttyprintf(struct tty *tp, const char *fmt, ...) va_start(ap, fmt); pca.tty = tp; pca.flags = TOTTY; + pca.p_bufr = NULL; retval = kvprintf(fmt, putchar, &pca, 10, ap); va_end(ap); return (retval); |