From carol@tinker.com  Sun Feb 23 15:44:31 1997
Received: from tinker.com (troll.tinker.com [204.214.7.146])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA10140
          for <FreeBSD-gnats-submit@freebsd.org>; Sun, 23 Feb 1997 15:44:29 -0800 (PST)
Received: by localhost (8.7.5/8.7.3)
Received: by mail.tinker.com via smap (V1.3)
	id sma001235; Sun Feb 23 17:55:17 1997
Received: by localhost (8.7.5/8.7.3)
Message-Id: <199702232323.RAA29283@mailhub.tinker.com>
Date: Sun, 23 Feb 1997 17:23:05 -0600 (CST)
From: carol@tinker.com
Reply-To: carol@tinker.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: pcisupport.c uses sprintf field widths, not supported in kernel
X-Send-Pr-Version: 3.2

>Number:         2807
>Category:       kern
>Synopsis:       pcisupport.c uses sprintf field widths, not supported in kernel
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Feb 23 15:50:01 PST 1997
>Closed-Date:    Thu Sep 18 11:21:50 PDT 1997
>Last-Modified:  Thu Sep 18 11:22:06 PDT 1997
>Originator:     Carol Lyn Deihl
>Release:        FreeBSD 2.1.7-RELEASE i386
>Organization:
Shrier and Deihl
>Environment:

        using PCI devices

>Description:

        In 2.1.6 /usr/src/sys/pci/pcisupport.c was modified to ensure that the
sprintf format string PPB_DESCR wouldn't overrun the space malloc'd for it.
However, the modification uses sprintf field widths (e.g. %04x), which are not
supported in the kernel's sprintf. At boot time, the string printed on the
console still has the field width specifiers (since they weren't recognized
by kernel's sprintf), instead of the desired data. At least it's guaranteed
not to overrun the malloc'd buffer :-). This problem still exists in 2.1.7.

>How-To-Repeat:

        Boot with PCI devices installed.

>Fix:

        Here is a suggested patch that doesn't rely on field width specifiers
and also guarantees no overrun:
pcisupport.patch - patch to fix sprintf format string because kernel's sprintf
	doesn't understand field widths (e.g. %04x)

Carol Deihl <carol@tinker.com> 1997/02/23

To apply these patches,
	copy this file to SOMEWHERE
	cd /usr/src
	patch <SOMEWHERE/pcisupport.patch

Index: sys/pci/pcisupport.c
===================================================================
*** pcisupport.c	Mon Sep 16 03:52:18 1996
--- pcisupport.c	Sun Feb 23 17:05:23 1997
***************
*** 83,89 ****
  };
  
  /* make sure formats expand to at least as many chars !!! */
! #define PPB_DESCR "generic PCI bridge (vendor=%04x device=%04x subclass=%1.2d)"
  
  static char*
  generic_pci_bridge (pcici_t tag)
--- 83,90 ----
  };
  
  /* make sure formats expand to at least as many chars !!! */
! /* if you change this string, check the sizeof stuff in the malloc below !!! */
! #define PPB_DESCR "generic PCI bridge (vendor=%x device=%x subclass=%d)"
  
  static char*
  generic_pci_bridge (pcici_t tag)
***************
*** 95,101 ****
  
  	unsigned id = pci_conf_read (tag, PCI_ID_REG);
  
! 	descr = malloc (sizeof PPB_DESCR +1, M_DEVBUF, M_WAITOK);
  	if (descr) {
  	    sprintf (descr, PPB_DESCR, id & 0xffff, (id >> 16) & 0xffff, 
  			(classreg >> 16) & 0xff);
--- 96,106 ----
  
  	unsigned id = pci_conf_read (tag, PCI_ID_REG);
  
! 	descr = malloc (sizeof PPB_DESCR /* includes the nul */
! 		+ 4 /* for vendor */
! 		+ 4 /* for device */
! 		+ 3 /* for subclass */
! 		+ 1 /* for just in case */, M_DEVBUF, M_WAITOK);
  	if (descr) {
  	    sprintf (descr, PPB_DESCR, id & 0xffff, (id >> 16) & 0xffff, 
  			(classreg >> 16) & 0xff);


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: phk 
State-Changed-When: Thu Sep 18 11:21:50 PDT 1997 
State-Changed-Why:  

fixed in -current 
>Unformatted:
