From c5f01980705930bf46059a004e20e010d8e21dfa Mon Sep 17 00:00:00 2001
From: Robert Wing <rew@FreeBSD.org>
Date: Sat, 25 Feb 2023 09:37:32 +0000
Subject: [PATCH] stand: fix buffer overflow in getrootmount()

Reviewed by:	imp, allanjude
Sponsored By:   Beckhoff Automation GmbH & Co. KG
Sponsored By:   Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D38734
---
 stand/common/boot.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/stand/common/boot.c b/stand/common/boot.c
index 06f604f595df..3ec827617d56 100644
--- a/stand/common/boot.c
+++ b/stand/common/boot.c
@@ -32,8 +32,9 @@ __FBSDID("$FreeBSD$");
  */
 
 #include <stand.h>
-#include <sys/reboot.h>
 #include <sys/boot.h>
+#include <sys/kenv.h>
+#include <sys/reboot.h>
 #include <string.h>
 
 #include "bootstrap.h"
@@ -321,14 +322,14 @@ getbootfile(int try)
 int
 getrootmount(char *rootdev)
 {
-	char	lbuf[128], *cp, *ep, *dev, *fstyp, *options;
+	char	lbuf[KENV_MVALLEN], *cp, *ep, *dev, *fstyp, *options;
 	int		fd, error;
 
 	if (getenv("vfs.root.mountfrom") != NULL)
 		return(0);
 
 	error = 1;
-	sprintf(lbuf, "%s/etc/fstab", rootdev);
+	snprintf(lbuf, sizeof(lbuf), "%s/etc/fstab", rootdev);
 	if ((fd = open(lbuf, O_RDONLY)) < 0)
 		goto notfound;
 
@@ -382,7 +383,7 @@ getrootmount(char *rootdev)
 		*cp = 0;
 		options = strdup(ep);
 		/* Build the <fstype>:<device> and save it in vfs.root.mountfrom */
-		sprintf(lbuf, "%s:%s", fstyp, dev);
+		snprintf(lbuf, sizeof(lbuf), "%s:%s", fstyp, dev);
 		setenv("vfs.root.mountfrom", lbuf, 0);
 
 		/* Don't override vfs.root.mountfrom.options if it is already set */