svn commit: r297588 - stable/10/sys/kern
Sean Bruno
sbruno at FreeBSD.org
Tue Apr 5 18:27:48 UTC 2016
Author: sbruno
Date: Tue Apr 5 18:27:47 2016
New Revision: 297588
URL: https://svnweb.freebsd.org/changeset/base/297588
Log:
MFC r297488
Repair an overflow condition where a user could submit a string that was
not getting a proper bounds check.
PR: 206761
Submitted by: sson
Reviewed by: cturt at hardenedbsd.org
Modified:
stable/10/sys/kern/imgact_binmisc.c
Directory Properties:
stable/10/ (props changed)
Modified: stable/10/sys/kern/imgact_binmisc.c
==============================================================================
--- stable/10/sys/kern/imgact_binmisc.c Tue Apr 5 18:07:13 2016 (r297587)
+++ stable/10/sys/kern/imgact_binmisc.c Tue Apr 5 18:27:47 2016 (r297588)
@@ -1,5 +1,5 @@
-/*-
- * Copyright (c) 2013, Stacey D. Son
+/*
+ * Copyright (c) 2013-16, Stacey D. Son
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -222,16 +222,17 @@ imgact_binmisc_add_entry(ximgact_binmisc
{
imgact_binmisc_entry_t *ibe;
char *p;
+ int cnt;
if (xbe->xbe_msize > IBE_MAGIC_MAX)
return (EINVAL);
- for(p = xbe->xbe_name; *p != 0; p++)
- if (!isascii((int)*p))
+ for(cnt = 0, p = xbe->xbe_name; *p != 0; cnt++, p++)
+ if (cnt >= IBE_NAME_MAX || !isascii((int)*p))
return (EINVAL);
- for(p = xbe->xbe_interpreter; *p != 0; p++)
- if (!isascii((int)*p))
+ for(cnt = 0, p = xbe->xbe_interpreter; *p != 0; cnt++, p++)
+ if (cnt >= IBE_INTERP_LEN_MAX || !isascii((int)*p))
return (EINVAL);
/* Make sure we don't have any invalid #'s. */
@@ -268,8 +269,6 @@ imgact_binmisc_add_entry(ximgact_binmisc
mtx_unlock(&interp_list_mtx);
ibe = imgact_binmisc_new_entry(xbe);
- if (!ibe)
- return (ENOMEM);
mtx_lock(&interp_list_mtx);
SLIST_INSERT_HEAD(&interpreter_list, ibe, link);
More information about the svn-src-stable-10
mailing list