diff options
author | peter <peter@FreeBSD.org> | 2000-07-14 00:29:00 +0000 |
---|---|---|
committer | peter <peter@FreeBSD.org> | 2000-07-14 00:29:00 +0000 |
commit | 758f41c92dac66f40115e5639b1432a55535f653 (patch) | |
tree | b474acddc3cfbb0417b893a66e463793ff8138d4 /usr.sbin/usbd | |
parent | 092cc1f8f99b873b28e3af4c33600826216f184d (diff) | |
download | FreeBSD-src-758f41c92dac66f40115e5639b1432a55535f653.zip FreeBSD-src-758f41c92dac66f40115e5639b1432a55535f653.tar.gz |
Correct an additional off-by-one bug and buffer overflow. A malloc()
was being made one byte too short, and the string assembled in it was not
null terminated. The string was passed to regcomp() so it never matched
anything in /etc/usbd.conf. This is the cause of usbd not working for the
last few days.. The new malloc.conf default of AJ triggered this.
Diffstat (limited to 'usr.sbin/usbd')
-rw-r--r-- | usr.sbin/usbd/usbd.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/usr.sbin/usbd/usbd.c b/usr.sbin/usbd/usbd.c index 4252e0f..11139c1 100644 --- a/usr.sbin/usbd/usbd.c +++ b/usr.sbin/usbd/usbd.c @@ -379,13 +379,14 @@ set_devname_field(action_t *action, char *args, char **trail) return(0); len = strlen(action->devname); - string = malloc(len + 14); + string = malloc(len + 15); if (string == NULL) return(0); bcopy(action->devname, string+7, len); /* make some space for */ bcopy("[[:<:]]", string, 7); /* beginning of word */ - bcopy("[[:>:]]", string+7+len, 7); /* and end of word */ + bcopy("[[:>:]]", string+7+len, 8); /* and end of word */ + string[len + 14] = '\0'; error = regcomp(&action->devname_regex, string, REG_NOSUB|REG_EXTENDED); if (error) { |