Author: mdf
Date: Tue Jan 11 17:16:50 2011
New Revision: 217268
URL: http://svn.freebsd.org/changeset/base/217268
Log:
MFC r217109:
Fix a memory overflow where the input length to g_gpt_utf8_to_utf16()
was specified incorrectly, causing the bzero to run past the end of a
malloc(9)'d object.
Submitted by: Eric Youngblut < eyoungblut AT isilon DOT com >
Modified:
stable/8/sys/geom/part/g_part_gpt.c
Directory Properties:
stable/8/sys/ (props changed)
stable/8/sys/amd64/include/xen/ (props changed)
stable/8/sys/cddl/contrib/opensolaris/ (props changed)
stable/8/sys/contrib/dev/acpica/ (props changed)
stable/8/sys/contrib/pf/ (props changed)
Modified: stable/8/sys/geom/part/g_part_gpt.c
==============================================================================
--- stable/8/sys/geom/part/g_part_gpt.c Tue Jan 11 17:02:24 2011
(r217267)
+++ stable/8/sys/geom/part/g_part_gpt.c Tue Jan 11 17:16:50 2011
(r217268)
@@ -425,7 +425,8 @@ g_part_gpt_add(struct g_part_table *base
}
if (gpp->gpp_parms & G_PART_PARM_LABEL)
g_gpt_utf8_to_utf16(gpp->gpp_label, entry->ent.ent_name,
- sizeof(entry->ent.ent_name));
+ sizeof(entry->ent.ent_name) /
+ sizeof(entry->ent.ent_name[0]));
return (0);
}
@@ -588,7 +589,8 @@ g_part_gpt_modify(struct g_part_table *b
}
if (gpp->gpp_parms & G_PART_PARM_LABEL)
g_gpt_utf8_to_utf16(gpp->gpp_label, entry->ent.ent_name,
- sizeof(entry->ent.ent_name));
+ sizeof(entry->ent.ent_name) /
+ sizeof(entry->ent.ent_name[0]));
return (0);
}
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
