[Bug 208985] DoS / heap overflow in bpf_stats_sysctl
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Fri Apr 22 21:59:14 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208985
--- Comment #1 from CTurt <cturt at hardenedbsd.org> ---
To fix this bug, there should be a bound check on `req->oldlen` before calling
`malloc`, such as the following:
if (req->oldptr == NULL)
return (SYSCTL_OUT(req, 0, bpf_bpfd_cnt * sizeof(*xbd)));
if (bpf_bpfd_cnt == 0)
return (SYSCTL_OUT(req, 0, 0));
+ if (req->oldlen > 0x1000)
+ return EINVAL;
xbdbuf = malloc(req->oldlen, M_BPF, M_WAITOK);
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list