From dfc2cc4e4255d7313402e3fa9b8ac329888ead9f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Herm=C3=A8s=20B=C3=A9lusca-Ma=C3=AFto?=
 <hermes.belusca-maito@reactos.org>
Date: Tue, 4 Apr 2023 03:03:42 +0200
Subject: [PATCH] [NTOS:KD] Fix buffer overflow for the signon in
 KdPortInitializeEx.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The built string can be:
°°Kernel Debugger: Serial port found: COM1 (Port 0x000003F8) BaudRate 115200°°°°
(with ° representing the \r and \n in the message)
and you can verify that this is more than 80 characters in total.
---
 ntoskrnl/kd/i386/kdserial.c | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/ntoskrnl/kd/i386/kdserial.c b/ntoskrnl/kd/i386/kdserial.c
index 9869011460b..db5f75b54bc 100644
--- a/ntoskrnl/kd/i386/kdserial.c
+++ b/ntoskrnl/kd/i386/kdserial.c
@@ -106,15 +106,22 @@ KdPortInitializeEx(
     else
     {
 #ifndef NDEBUG
-        CHAR buffer[80];
+        int Length;
+        CHAR Buffer[82];
 
         /* Print message to blue screen */
-        sprintf(buffer,
-                "\r\nKernel Debugger: Serial port found: COM%ld (Port 0x%p) BaudRate %ld\r\n\r\n",
-                ComPortNumber,
-                PortInformation->Address,
-                PortInformation->BaudRate);
-        HalDisplayString(buffer);
+        Length = snprintf(Buffer, sizeof(Buffer),
+                          "\r\nKernel Debugger: Serial port found: COM%ld (Port 0x%p) BaudRate %ld\r\n\r\n",
+                          ComPortNumber,
+                          PortInformation->Address,
+                          PortInformation->BaudRate);
+        if (Length == -1)
+        {
+            /* Terminate it if we went over-board */
+            Buffer[sizeof(Buffer) - 1] = ANSI_NULL;
+        }
+
+        HalDisplayString(Buffer);
 #endif /* NDEBUG */
 
 #if 0