kern/155321: imgact_shell integer underflow when argv[0] is
longer than interp + path
Devon H. O'Dell
devon.odell at gmail.com
Sun Mar 6 21:36:32 UTC 2011
Actually, kib@ points out that this isn't quite correct; the correct
fix should indeed be a 1-liner, attached.
--dho
-------------- next part --------------
Index: sys/kern/imgact_shell.c
===================================================================
--- sys/kern/imgact_shell.c (revision 219345)
+++ sys/kern/imgact_shell.c (working copy)
@@ -195,7 +195,7 @@
length = (imgp->args->argc == 0) ? 0 :
strlen(imgp->args->begin_argv) + 1; /* bytes to delete */
- if (offset - length > imgp->args->stringspace) {
+ if (offset > length && offset - length > imgp->args->stringspace) {
if (sname != NULL)
sbuf_delete(sname);
return (E2BIG);
More information about the freebsd-bugs
mailing list