CVSROOT:        /cvs
Module name:    src
Changes by:     [email protected]  2026/06/26 04:32:32

Modified files:
        sys/dev/usb    : ucom.c 

Log message:
ucom: fix OOB write in sysctl_ucominit with no ucom devices

cd_ndevs==0 makes ucomslen 0, so malloc(0) returns unzeroed storage
(M_ZERO memsets osize==0 bytes). strlen(ucoms) then walks garbage and
ucoms[strlen-1]=0 stores out of bounds (KASAN: __asan_store1, hw.ucomnames).
Size the buffer for one extra slot so it is never zero-sized.

KASAN#2, with a murmur of agreement in the hackroom

Reply via email to