Correct an additional off-by-one bug and buffer overflow. A malloc()

was being made one byte too short, and the string assembled in it was not null terminated. The string was passed to regcomp() so it never matched anything in /etc/usbd.conf. This is the cause of usbd not working for the last few days.. The new malloc.conf default of AJ triggered this.
author: peter <peter@FreeBSD.org> 2000-07-14 00:29:00 +0000
committer: peter <peter@FreeBSD.org> 2000-07-14 00:29:00 +0000
commit: 758f41c92dac66f40115e5639b1432a55535f653 (patch)
tree: b474acddc3cfbb0417b893a66e463793ff8138d4 /usr.sbin/usbd/usbd.c
parent: 092cc1f8f99b873b28e3af4c33600826216f184d (diff)
download: FreeBSD-src-758f41c92dac66f40115e5639b1432a55535f653.zip
FreeBSD-src-758f41c92dac66f40115e5639b1432a55535f653.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/usr.sbin/usbd/usbd.c b/usr.sbin/usbd/usbd.c
index 4252e0f..11139c1 100644
--- a/usr.sbin/usbd/usbd.c
+++ b/usr.sbin/usbd/usbd.c
@@ -379,13 +379,14 @@ set_devname_field(action_t *action, char *args, char **trail)
 		return(0);
 
 	len = strlen(action->devname);
-	string = malloc(len + 14);
+	string = malloc(len + 15);
 	if (string == NULL)
 		return(0);
 
 	bcopy(action->devname, string+7, len);	/* make some space for */
 	bcopy("[[:<:]]", string, 7);		/*   beginning of word */
-	bcopy("[[:>:]]", string+7+len, 7);	/*   and end of word   */
+	bcopy("[[:>:]]", string+7+len, 8);	/*   and end of word   */
+	string[len + 14] = '\0';
 
 	error = regcomp(&action->devname_regex, string, REG_NOSUB|REG_EXTENDED);
 	if (error) {
author	peter <peter@FreeBSD.org>	2000-07-14 00:29:00 +0000
committer	peter <peter@FreeBSD.org>	2000-07-14 00:29:00 +0000
commit	758f41c92dac66f40115e5639b1432a55535f653 (patch)
tree	b474acddc3cfbb0417b893a66e463793ff8138d4 /usr.sbin/usbd/usbd.c
parent	092cc1f8f99b873b28e3af4c33600826216f184d (diff)
download	FreeBSD-src-758f41c92dac66f40115e5639b1432a55535f653.zip FreeBSD-src-758f41c92dac66f40115e5639b1432a55535f653.tar.gz