From f2bc8f18889ad2fa09cad4491dd65d7cc1e8db3d Mon Sep 17 00:00:00 2001
From: Guillem Jover <guillem@debian.org>
Date: Sat, 20 Nov 2004 22:35:55 +0000
Subject: Fix possible buffer overrun on linux printk. Thanks to Neal H.
 Walfield <neal@cs.uml.edu>.

---
 debian/changelog                                   |  2 +
 .../patches/18_linux_printk_buffer_overrun.patch   | 87 ++++++++++++++++++++++
 2 files changed, 89 insertions(+)
 create mode 100644 debian/patches/18_linux_printk_buffer_overrun.patch

(limited to 'debian')

diff --git a/debian/changelog b/debian/changelog
index 850a493..0689bc8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,6 +11,8 @@ gnumach (1:20040915.dfsg.1-1) unstable; urgency=low
     Thanks to Neal H. Walfield <neal@cs.uml.edu>.
   * Fix double free and memory loss probing partition table.
     Thanks to Neal H. Walfield <neal@cs.uml.edu>.
+  * Fix possible buffer overrun on linux printk.
+    Thanks to Neal H. Walfield <neal@cs.uml.edu>.
 
  -- Guillem Jover <guillem@debian.org>  Tue, 16 Nov 2004 07:58:02 +0100
 
diff --git a/debian/patches/18_linux_printk_buffer_overrun.patch b/debian/patches/18_linux_printk_buffer_overrun.patch
new file mode 100644
index 0000000..75bb7ba
--- /dev/null
+++ b/debian/patches/18_linux_printk_buffer_overrun.patch
@@ -0,0 +1,87 @@
+#DPATCHLEVEL=0
+
+2004-09-08  Neal H. Walfield  <neal@cs.uml.edu>
+
+	* linux/dev/kernel/printk.c: Include <kern/assert.h>.
+	(printk): Use vsnprintf, not linux_vsprintf to avoid buffer
+	overruns.
+
+	* kern/printf.c (struct vsnprintf_cookie): New structure.
+	(snputc): New function.
+	(vsnprintf): Likewise.
+
+
+Index: linux/dev/kernel/printk.c
+===================================================================
+RCS file: /cvsroot/hurd/gnumach/linux/dev/kernel/Attic/printk.c,v
+retrieving revision 1.1
+diff -u -p -r1.1 printk.c
+--- linux/dev/kernel/printk.c	26 Apr 1999 05:49:36 -0000	1.1
++++ linux/dev/kernel/printk.c	8 Sep 2004 10:29:05 -0000
+@@ -26,6 +26,7 @@
+ #define MACH_INCLUDE
+ #include <stdarg.h>
+ #include <asm/system.h>
++#include <kern/assert.h>
+ 
+ static char buf[2048];
+ 
+@@ -40,14 +41,14 @@ printk (char *fmt, ...)
+   va_list args;
+   int n, flags;
+   extern void cnputc ();
+-  extern int linux_vsprintf (char *buf, char *fmt,...);
+   char *p, *msg, *buf_end;
+   static int msg_level = -1;
+   
+   save_flags (flags);
+   cli ();
+   va_start (args, fmt);
+-  n = linux_vsprintf (buf + 3, fmt, args);
++  n = vsnprintf (buf + 3, sizeof (buf) - 3, fmt, args);
++  assert (n <= sizeof (buf) - 3);
+   buf_end = buf + 3 + n;
+   va_end (args);
+   for (p = buf + 3; p < buf_end; p++)
+Index: kern/printf.c
+===================================================================
+RCS file: /cvsroot/hurd/gnumach/kern/Attic/printf.c,v
+retrieving revision 1.2
+diff -u -p -r1.2 printf.c
+--- kern/printf.c	23 Jul 2000 00:34:12 -0000	1.2
++++ kern/printf.c	8 Sep 2004 10:29:06 -0000
+@@ -579,6 +579,34 @@ sprintf(char *buf, const char *fmt, ...)
+ 	return (buf - start);
+ }
+ 
++struct vsnprintf_cookie
++{
++  char *buf;
++  int index;
++  int max_len;
++};
++
++static void
++snputc(char c, vm_offset_t arg)
++{
++  struct vsnprintf_cookie *cookie = (void *) arg;
++
++  if (cookie->index < cookie->max_len)
++    cookie->buf[cookie->index ++] = c;
++}
++
++int
++vsnprintf(char *buf, int size, const char *fmt, va_list args)
++{
++  struct vsnprintf_cookie cookie
++    = { .buf = buf, .index = 0, .max_len = size };
++
++  _doprnt (fmt, &args, snputc, 16, (vm_offset_t)&cookie);
++  cookie.buf[cookie.index] = '\0';
++
++  return cookie.index;
++}
++
+ 
+ void safe_gets(str, maxlen)
+ 	char *str;
-- 
cgit v1.2.3