Fix an out-of-bounds write when a zero-length buffer is passed.
ClosedPublic
Actions

Authored by brooks on Apr 12 2017, 10:57 PM.

Tags

None

Referenced Files

	F148940619: D10377.id27413.diff
	Sat, Mar 21, 4:39 AM

	F148940599: D10377.id27413.diff
	Sat, Mar 21, 4:39 AM

	Unknown Object (File)
	Thu, Mar 19, 12:44 AM

	Unknown Object (File)
	Tue, Mar 3, 9:17 PM

	Unknown Object (File)
	Feb 8 2026, 6:23 AM

	Unknown Object (File)
	Feb 7 2026, 4:04 PM

	Unknown Object (File)
	Jan 24 2026, 11:13 PM

	Unknown Object (File)
	Jan 24 2026, 8:35 PM

View All 67 Files

Subscribers

None

Details

Reviewers

jilles
jhb
emaste

Commits

rS316768: Fix an out-of-bounds write when a zero-length buffer is passed.

Summary

Found with ttyname_test and CHERI bounds checking.

Sponsored by: DARPA, AFRL
Obtained from: CheriBSD

Diff Detail

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 8705
Build 9040: arc lint + arc unit

Event Timeline

brooks created this revision.Apr 12 2017, 10:57 PM

Harbormaster completed remote builds in B8705: Diff 27390.Apr 12 2017, 10:57 PM

I also wonder if we should perform a NULL pointer check, but POSIX doesn't explicitly allow EINVAL.

emaste accepted this revision.Apr 12 2017, 11:10 PM

This revision is now accepted and ready to land.Apr 12 2017, 11:10 PM

In D10377#214967, @brooks wrote:

I also wonder if we should perform a NULL pointer check, but POSIX doesn't explicitly allow EINVAL.

Bruce would argue that a SIGSEGV is a valid NULL pointer check. That is the failure case for many other APIs in userland (e.g. strlen() and strcpy()).

Closed by commit rS316768: Fix an out-of-bounds write when a zero-length buffer is passed. (authored by brooks). · Explain WhyApr 13 2017, 3:52 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Path

Size

lib/

libc/

gen/

ttyname.c

4 lines

Diff 27390

View Options

Fix an out-of-bounds write when a zero-length buffer is passed.ClosedPublicActions