svn commit: r297488 - head/sys/kern

[Sean Bruno]

Author: sbruno
Date: Fri Apr  1 16:16:26 2016
New Revision: 297488
URL: https://svnweb.freebsd.org/changeset/base/297488

Log:
  Repair a overflow condition where a user could submit a string that was
  not getting a proper bounds check.
  
  Thanks to CTurt for pointing at this with a big red blinking neon sign.
  
  PR:		206761
  Submitted by:	sson
  Reviewed by:	cturt at hardenedbsd.org
  MFC after:	3 days

Modified:
  head/sys/kern/imgact_binmisc.c

Modified: head/sys/kern/imgact_binmisc.c
==============================================================================
--- head/sys/kern/imgact_binmisc.c	Fri Apr  1 11:32:52 2016	(r297487)
+++ head/sys/kern/imgact_binmisc.c	Fri Apr  1 16:16:26 2016	(r297488)
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2013-15, Stacey D. Son
+ * Copyright (c) 2013-16, Stacey D. Son
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -220,16 +220,17 @@ imgact_binmisc_add_entry(ximgact_binmisc
 {
 	imgact_binmisc_entry_t *ibe;
 	char *p;
+	int cnt;
 
 	if (xbe->xbe_msize > IBE_MAGIC_MAX)
 		return (EINVAL);
 
-	for(p = xbe->xbe_name; *p != 0; p++)
-		if (!isascii((int)*p))
+	for(cnt = 0, p = xbe->xbe_name; *p != 0; cnt++, p++)
+		if (cnt >= IBE_NAME_MAX || !isascii((int)*p))
 			return (EINVAL);
 
-	for(p = xbe->xbe_interpreter; *p != 0; p++)
-		if (!isascii((int)*p))
+	for(cnt = 0, p = xbe->xbe_interpreter; *p != 0; cnt++, p++)
+		if (cnt >= IBE_INTERP_LEN_MAX || !isascii((int)*p))
 			return (EINVAL);
 
 	/* Make sure we don't have any invalid #'s. */
@@ -266,8 +267,6 @@ imgact_binmisc_add_entry(ximgact_binmisc
 
 	/* Preallocate a new entry. */
 	ibe = imgact_binmisc_new_entry(xbe);
-	if (!ibe)
-		return (ENOMEM);
 
 	SLIST_INSERT_HEAD(&interpreter_list, ibe, link);
 	interp_list_entry_count++;