I've noticed that if I fill the input buffer at the loader prompt on 7-STABLE I get panic with a guard page failure. From what I can see the loader uses the ngets function in src/lib/libstand/gets.c with a buffer of size of 256. If I print out the value of strlen(input) in interp.c I get 256. Shouldn't line 77 of gets.c be comparing (lp-buf) against (n-1) instead of n? -- Bruce Cran
Dimitry Andric
2009-Mar-31 01:33 UTC
Off-by-one error in ngets() causing panic in loader(8)?
On 2009-03-30 23:23, Bruce Cran wrote:> I've noticed that if I fill the input buffer at the loader prompt on > 7-STABLE I get panic with a guard page failure. From what I can see > the loader uses the ngets function in src/lib/libstand/gets.c with a > buffer of size of 256. If I print out the value of strlen(input) in > interp.c I get 256. Shouldn't line 77 of gets.c be comparing (lp-buf) > against (n-1) instead of n?Yes, either that, or change all callers to use "sizeof buf - 1" or similar. However, the latter is not how the normal fgets(3) works, so it is probably better to fix it in ngets() itself. :)
John Baldwin
2009-Mar-31 08:03 UTC
Off-by-one error in ngets() causing panic in loader(8)?
On Monday 30 March 2009 5:23:07 pm Bruce Cran wrote:> I've noticed that if I fill the input buffer at the loader prompt on > 7-STABLE I get panic with a guard page failure. From what I can see > the loader uses the ngets function in src/lib/libstand/gets.c with a > buffer of size of 256. If I print out the value of strlen(input) in > interp.c I get 256. Shouldn't line 77 of gets.c be comparing (lp-buf) > against (n-1) instead of n?Yep. I've committed the fix. The libstand(3) manpage states that ngets() puts in at most n - 1 characters followed by a NULL, so n - 1 is the correct fix. -- John Baldwin