https://git.reactos.org/?p=reactos.git;a=commitdiff;h=dfc2cc4e4255d7313402e3...
commit dfc2cc4e4255d7313402e3fa9b8ac329888ead9f Author: Hermès Bélusca-Maïto hermes.belusca-maito@reactos.org AuthorDate: Tue Apr 4 03:03:42 2023 +0200 Commit: Hermès Bélusca-Maïto hermes.belusca-maito@reactos.org CommitDate: Wed Apr 5 03:33:39 2023 +0200
[NTOS:KD] Fix buffer overflow for the signon in KdPortInitializeEx.
The built string can be: °°Kernel Debugger: Serial port found: COM1 (Port 0x000003F8) BaudRate 115200°°°° (with ° representing the \r and \n in the message) and you can verify that this is more than 80 characters in total. --- ntoskrnl/kd/i386/kdserial.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-)
diff --git a/ntoskrnl/kd/i386/kdserial.c b/ntoskrnl/kd/i386/kdserial.c index 9869011460b..db5f75b54bc 100644 --- a/ntoskrnl/kd/i386/kdserial.c +++ b/ntoskrnl/kd/i386/kdserial.c @@ -106,15 +106,22 @@ KdPortInitializeEx( else { #ifndef NDEBUG - CHAR buffer[80]; + int Length; + CHAR Buffer[82];
/* Print message to blue screen */ - sprintf(buffer, - "\r\nKernel Debugger: Serial port found: COM%ld (Port 0x%p) BaudRate %ld\r\n\r\n", - ComPortNumber, - PortInformation->Address, - PortInformation->BaudRate); - HalDisplayString(buffer); + Length = snprintf(Buffer, sizeof(Buffer), + "\r\nKernel Debugger: Serial port found: COM%ld (Port 0x%p) BaudRate %ld\r\n\r\n", + ComPortNumber, + PortInformation->Address, + PortInformation->BaudRate); + if (Length == -1) + { + /* Terminate it if we went over-board */ + Buffer[sizeof(Buffer) - 1] = ANSI_NULL; + } + + HalDisplayString(Buffer); #endif /* NDEBUG */
#if 0
-
Hermès Bélusca-Maïto