kern/155321: imgact_shell integer underflow when argv[0] is longer than interp + path

Devon H. O'Dell devon.odell at gmail.com
Sun Mar 6 21:36:32 UTC 2011


Actually, kib@ points out that this isn't quite correct; the correct
fix should indeed be a 1-liner, attached.

--dho
-------------- next part --------------
Index: sys/kern/imgact_shell.c
===================================================================
--- sys/kern/imgact_shell.c	(revision 219345)
+++ sys/kern/imgact_shell.c	(working copy)
@@ -195,7 +195,7 @@
 	length = (imgp->args->argc == 0) ? 0 :
 	    strlen(imgp->args->begin_argv) + 1;		/* bytes to delete */
 
-	if (offset - length > imgp->args->stringspace) {
+	if (offset > length && offset - length > imgp->args->stringspace) {
 		if (sname != NULL)
 			sbuf_delete(sname);
 		return (E2BIG);


More information about the freebsd-bugs mailing list