hrev51746 adds 1 changeset to branch 'master'
old head: a31e05bb68356270b1c0d05d684c62a9b29f51c3
new head: d9e4ef3f76300a41b06f9e419a516bc0ef613812
overview:
http://cgit.haiku-os.org/haiku/log/?qt=range&q=d9e4ef3f7630+%5Ea31e05bb6835
----------------------------------------------------------------------------
d9e4ef3f7630: dprintf: use user_memcpy/user_strlcpy to read the user buffer.
* also check the user buffer address.
[ Jérôme Duval <jerome.duval@xxxxxxxxx> ]
----------------------------------------------------------------------------
Revision: hrev51746
Commit: d9e4ef3f76300a41b06f9e419a516bc0ef613812
URL: http://cgit.haiku-os.org/haiku/commit/?id=d9e4ef3f7630
Author: Jérôme Duval <jerome.duval@xxxxxxxxx>
Date: Mon Jan 8 20:36:25 2018 UTC
----------------------------------------------------------------------------
1 file changed, 11 insertions(+), 2 deletions(-)
src/add-ons/kernel/drivers/common/dprintf.cpp | 13 +++++++++++--
----------------------------------------------------------------------------
diff --git a/src/add-ons/kernel/drivers/common/dprintf.cpp
b/src/add-ons/kernel/drivers/common/dprintf.cpp
index 612a2b1e8f..1addfa201b 100644
--- a/src/add-ons/kernel/drivers/common/dprintf.cpp
+++ b/src/add-ons/kernel/drivers/common/dprintf.cpp
@@ -11,6 +11,7 @@
#include <debug.h>
+#include <kernel.h>
#include <Drivers.h>
#include <KernelExport.h>
@@ -70,11 +71,19 @@ dprintf_read(void *cookie, off_t pos, void *buffer, size_t
*length)
static status_t
dprintf_write(void *cookie, off_t pos, const void *buffer, size_t *_length)
{
+ if (!IS_USER_ADDRESS(buffer))
+ return B_BAD_ADDRESS;
const char *str = (const char*)buffer;
int bytesLeft = *_length;
while (bytesLeft > 0) {
- int chunkSize = strnlen(str, bytesLeft);
+ ssize_t size = user_strlcpy(NULL, str, 0);
+ // there's no user_strnlen()
+ if (size < 0)
+ return 0;
+ int chunkSize = min_c(bytesLeft, (int)size);
+ // int chunkSize = strnlen(str, bytesLeft);
+
if (chunkSize == 0) {
// null bytes -- skip
str++;
@@ -91,7 +100,7 @@ dprintf_write(void *cookie, off_t pos, const void *buffer,
size_t *_length)
char localBuffer[512];
if (bytesLeft > (int)sizeof(localBuffer) - 1)
chunkSize = (int)sizeof(localBuffer) -
1;
- memcpy(localBuffer, str, chunkSize);
+ user_memcpy(localBuffer, str, chunkSize);
localBuffer[chunkSize] = '\0';
debug_puts(localBuffer, chunkSize);