cvs commit: src/sys/i386/ibcs2 ibcs2_misc.c ibcs2_signal.c
ibcs2_socksys.c ibcs2_util.c ibcs2_util.h imgact_coff.c
Tim J. Robbins
tjr at FreeBSD.org
Sat Oct 11 21:25:27 PDT 2003
tjr 2003/10/11 21:25:26 PDT
FreeBSD src repository
Modified files:
sys/i386/ibcs2 ibcs2_misc.c ibcs2_signal.c
ibcs2_socksys.c ibcs2_util.c ibcs2_util.h
imgact_coff.c
Log:
Fix a multitude of security bugs in the iBCS2 emulator:
- Return NULL instead of returning memory outside of the stackgap
in stackgap_alloc() (FreeBSD-SA-00:42.linux)
- Check for stackgap_alloc() returning NULL in ibcs2_emul_find();
other calls to stackgap_alloc() have not been changed since they
are small fixed-size allocations.
- Replace use of strcpy() with strlcpy() in exec_coff_imgact()
to avoid buffer overflow
- Use strlcat() instead of strcat() to avoid a one byte buffer
overflow in ibcs2_setipdomainname()
- Use copyinstr() instead of copyin() in ibcs2_setipdomainname()
to ensure that the string is null-terminated
- Avoid integer overflow in ibcs2_setgroups() and ibcs2_setgroups()
by checking that gidsetsize argument is non-negative and
no larger than NGROUPS_MAX.
- Range-check signal numbers in ibcs2_wait(), ibcs2_sigaction(),
ibcs2_sigsys() and ibcs2_kill() to avoid accessing array past
the end (or before the start)
Revision Changes Path
1.52 +21 -3 src/sys/i386/ibcs2/ibcs2_misc.c
1.32 +7 -2 src/sys/i386/ibcs2/ibcs2_signal.c
1.19 +5 -3 src/sys/i386/ibcs2/ibcs2_socksys.c
1.17 +4 -2 src/sys/i386/ibcs2/ibcs2_util.c
1.17 +4 -1 src/sys/i386/ibcs2/ibcs2_util.h
1.61 +1 -1 src/sys/i386/ibcs2/imgact_coff.c
More information about the cvs-src
mailing list