The building the dev nameunit string, in devclass_add_device() is based

on the assumption that the unit linked with the device is invariant but
that can change when calling devclass_alloc_unit() (because -1 is passed
or, more simply, because the unit choosen is beyond the table limits).
This results in a completely bogus string building.

Fix this by reserving the necessary room for all the possible characters
printable by a positive integer (we do not allow for negative unit
number).

Reported by:	Sandvine Incorporated
Reviewed by:	emaste
Sponsored by:	Sandvine Incorporated
MFC:		1 week

sys/kern/subr_bus.c

@@ -35,6 +35,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/lock.h>
 #include <sys/kernel.h>
 #include <sys/kobj.h>
+#include <sys/limits.h>
 #include <sys/malloc.h>
 #include <sys/module.h>
 #include <sys/mutex.h>
@@ -1584,7 +1585,7 @@ devclass_add_device(devclass_t dc, device_t dev)
 
 	PDEBUG(("%s in devclass %s", DEVICENAME(dev), DEVCLANAME(dc)));
 
-	buflen = snprintf(NULL, 0, "%s%d$", dc->name, dev->unit);
+	buflen = snprintf(NULL, 0, "%s%d$", dc->name, INT_MAX);
 	if (buflen < 0)
 		return (ENOMEM);
 	dev->nameunit = malloc(buflen, M_BUS, M_NOWAIT|M_ZERO);