https://git.reactos.org/?p=reactos.git;a=commitdiff;h=dfc2cc4e4255d7313402e…
commit dfc2cc4e4255d7313402e3fa9b8ac329888ead9f
Author: Hermès Bélusca-Maïto <hermes.belusca-maito(a)reactos.org>
AuthorDate: Tue Apr 4 03:03:42 2023 +0200
Commit: Hermès Bélusca-Maïto <hermes.belusca-maito(a)reactos.org>
CommitDate: Wed Apr 5 03:33:39 2023 +0200
[NTOS:KD] Fix buffer overflow for the signon in KdPortInitializeEx.
The built string can be:
°°Kernel Debugger: Serial port found: COM1 (Port 0x000003F8) BaudRate 115200°°°°
(with ° representing the \r and \n in the message)
and you can verify that this is more than 80 characters in total.
---
ntoskrnl/kd/i386/kdserial.c | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
diff --git a/ntoskrnl/kd/i386/kdserial.c b/ntoskrnl/kd/i386/kdserial.c
index 9869011460b..db5f75b54bc 100644
--- a/ntoskrnl/kd/i386/kdserial.c
+++ b/ntoskrnl/kd/i386/kdserial.c
@@ -106,15 +106,22 @@ KdPortInitializeEx(
else
{
#ifndef NDEBUG
- CHAR buffer[80];
+ int Length;
+ CHAR Buffer[82];
/* Print message to blue screen */
- sprintf(buffer,
- "\r\nKernel Debugger: Serial port found: COM%ld (Port 0x%p) BaudRate
%ld\r\n\r\n",
- ComPortNumber,
- PortInformation->Address,
- PortInformation->BaudRate);
- HalDisplayString(buffer);
+ Length = snprintf(Buffer, sizeof(Buffer),
+ "\r\nKernel Debugger: Serial port found: COM%ld (Port
0x%p) BaudRate %ld\r\n\r\n",
+ ComPortNumber,
+ PortInformation->Address,
+ PortInformation->BaudRate);
+ if (Length == -1)
+ {
+ /* Terminate it if we went over-board */
+ Buffer[sizeof(Buffer) - 1] = ANSI_NULL;
+ }
+
+ HalDisplayString(Buffer);
#endif /* NDEBUG */
#if 0