From 49e7c87fded2320a906d60c882d3ada168a4326c Mon Sep 17 00:00:00 2001
From: jdp <jdp@FreeBSD.org>
Date: Fri, 14 May 2004 01:29:21 +0000
Subject: Fix a potential stack buffer overflow on systems whose ACPI OEMID
 fills its field (6 characters).  In that case the OEMID is not
 null-terminated, and the sprintf that was used would copy up to the next null
 byte, which could be pretty far away.

---
 sys/boot/i386/libi386/biosacpi.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'sys')

diff --git a/sys/boot/i386/libi386/biosacpi.c b/sys/boot/i386/libi386/biosacpi.c
index b4080bd..c8ee1c7 100644
--- a/sys/boot/i386/libi386/biosacpi.c
+++ b/sys/boot/i386/libi386/biosacpi.c
@@ -66,8 +66,8 @@ biosacpi_detect(void)
 	revision = 1;
     sprintf(buf, "%d", revision);
     setenv("hint.acpi.0.revision", buf, 1);
-    sprintf(buf, "%6s", rsdp->OemId);
-    buf[6] = '\0';
+    strncpy(buf, rsdp->OemId, sizeof(rsdp->OemId));
+    buf[sizeof(rsdp->OemId)] = '\0';
     setenv("hint.acpi.0.oem", buf, 1);
     sprintf(buf, "0x%08x", rsdp->RsdtPhysicalAddress);
     setenv("hint.acpi.0.rsdt", buf, 1);
-- 
cgit v1.1