The array is not guaranteed to be null, nor is bzero() called. If the createSuffix() call at line 1150 uses the entire length of the buffer for the device serial number value then the strncpy() will leave a not-null terminated buffer. Below that call the value is used by setProperty() at line 1152:
fNub->setProperty( kIOTTYSuffixKey, suffix )
The incorrectly terminated string will result in a malformed property string, potentially a security issue, kernel panic, and makes the driver fail to generate /dev/tty.xxx entries.
bjarnoldus
commented
9 years ago
In Driver_PL2303.cpp Line 1119:
The array is not guaranteed to be null, nor is bzero() called. If the createSuffix() call at line 1150 uses the entire length of the buffer for the device serial number value then the strncpy() will leave a not-null terminated buffer. Below that call the value is used by setProperty() at line 1152:
The incorrectly terminated string will result in a malformed property string, potentially a security issue, kernel panic, and makes the driver fail to generate /dev/tty.xxx entries.
Proposed fix
Add the following at line 1151: