From 5e319c480c6d75a4601bb39d7a35ad712fad6edb Mon Sep 17 00:00:00 2001 From: "Kenneth D. Merry" Date: Tue, 7 Jun 2011 05:04:37 +0000 Subject: [PATCH] Set pca.p_bufr to NULL when we haven't allocated a buffer. Otherwise, p_bufr is set to garbage on the stack, and if that garbage happens to be non-NULL, and the TOLOG or TOCONS flag is set, putbuf() will get called and attempt to fill the non-existent buffer. This is really only relevant for tprintf() (and only when the priority is not -1), but set it in uprintf() and ttyprintf() for completeness. The next step, to avoid log buffer scrambling, would be to add the PRINTF_BUFR_SIZE code to tprintf(), but this should prevent panics. Submitted by: rmacklem Found by: pho --- sys/kern/subr_prf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sys/kern/subr_prf.c b/sys/kern/subr_prf.c index 3334837747f5..48f2dd9ce8af 100644 --- a/sys/kern/subr_prf.c +++ b/sys/kern/subr_prf.c @@ -163,6 +163,7 @@ uprintf(const char *fmt, ...) goto out; } pca.flags = TOTTY; + pca.p_bufr = NULL; va_start(ap, fmt); tty_lock(pca.tty); retval = kvprintf(fmt, putchar, &pca, 10, ap); @@ -206,6 +207,7 @@ tprintf(struct proc *p, int pri, const char *fmt, ...) pca.pri = pri; pca.tty = tp; pca.flags = flags; + pca.p_bufr = NULL; va_start(ap, fmt); if (pca.tty != NULL) tty_lock(pca.tty); @@ -234,6 +236,7 @@ ttyprintf(struct tty *tp, const char *fmt, ...) va_start(ap, fmt); pca.tty = tp; pca.flags = TOTTY; + pca.p_bufr = NULL; retval = kvprintf(fmt, putchar, &pca, 10, ap); va_end(ap); return (retval);