From 8439a7220d6eb183195967c09724b3064a23c684 Mon Sep 17 00:00:00 2001 From: Brooks Davis Date: Thu, 13 Apr 2017 15:52:45 +0000 Subject: Fix an out-of-bounds write when a zero-length buffer is passed. Found with ttyname_test and CHERI bounds checking. Reviewed by: emaste Obtained from: CheriBSD MFC after: 1 week Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D10377 --- lib/libc/gen/ttyname.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/libc/gen/ttyname.c b/lib/libc/gen/ttyname.c index 7ca73b7b42b39..153b8d2878dd7 100644 --- a/lib/libc/gen/ttyname.c +++ b/lib/libc/gen/ttyname.c @@ -61,6 +61,10 @@ ttyname_r(int fd, char *buf, size_t len) { size_t used; + /* Don't write off the end of a zero-length buffer. */ + if (len < 1) + return (ERANGE); + *buf = '\0'; /* Must be a terminal. */ -- cgit v1.2.3