svn commit: r190301 - head/sys/kern releng/7.0 releng/7.0/sys/conf releng/7.0/sys/kern releng/7.1 releng/7.1/sys/conf releng/7.1/sys/kern stable/7/sys/kern

Sun, 22 Mar 2009 17:01:47 -0700 

Author: cperciva
Date: Mon Mar 23 00:00:50 2009
New Revision: 190301
URL: http://svn.freebsd.org/changeset/base/190301

Log:
  Correctly sanity-check timer IDs. [SA-09:06]
  
  Limit the size of malloced buffer when dumping environment
  variables. [EN-09:01]
  
  Approved by:  so (cperciva)
  Approved by:  re (kensmith)
  Security:     FreeBSD-SA-09:06.ktimer
  Errata:               FreeBSD-EN-09:01.kenv

Modified:
  head/sys/kern/kern_environment.c
  head/sys/kern/kern_time.c

Changes in other areas also in this revision:
Modified:
  releng/7.0/UPDATING
  releng/7.0/sys/conf/newvers.sh
  releng/7.0/sys/kern/kern_environment.c
  releng/7.0/sys/kern/kern_time.c
  releng/7.1/UPDATING
  releng/7.1/sys/conf/newvers.sh
  releng/7.1/sys/kern/kern_environment.c
  releng/7.1/sys/kern/kern_time.c
  stable/7/sys/kern/kern_environment.c
  stable/7/sys/kern/kern_time.c

Modified: head/sys/kern/kern_environment.c
==============================================================================
--- head/sys/kern/kern_environment.c    Sun Mar 22 23:00:52 2009        
(r190300)
+++ head/sys/kern/kern_environment.c    Mon Mar 23 00:00:50 2009        
(r190301)
@@ -87,7 +87,7 @@ kenv(td, uap)
        } */ *uap;
 {
        char *name, *value, *buffer = NULL;
-       size_t len, done, needed;
+       size_t len, done, needed, buflen;
        int error, i;
 
        KASSERT(dynamic_kenv, ("kenv: dynamic_kenv = 0"));
@@ -100,13 +100,17 @@ kenv(td, uap)
                        return (error);
 #endif
                done = needed = 0;
+               buflen = uap->len;
+               if (buflen > KENV_SIZE * (KENV_MNAMELEN + KENV_MVALLEN + 2))
+                       buflen = KENV_SIZE * (KENV_MNAMELEN +
+                           KENV_MVALLEN + 2);
                if (uap->len > 0 && uap->value != NULL)
-                       buffer = malloc(uap->len, M_TEMP, M_WAITOK|M_ZERO);
+                       buffer = malloc(buflen, M_TEMP, M_WAITOK|M_ZERO);
                mtx_lock(&kenv_lock);
                for (i = 0; kenvp[i] != NULL; i++) {
                        len = strlen(kenvp[i]) + 1;
                        needed += len;
-                       len = min(len, uap->len - done);
+                       len = min(len, buflen - done);
                        /*
                         * If called with a NULL or insufficiently large
                         * buffer, just keep computing the required size.

Modified: head/sys/kern/kern_time.c
==============================================================================
--- head/sys/kern/kern_time.c   Sun Mar 22 23:00:52 2009        (r190300)
+++ head/sys/kern/kern_time.c   Mon Mar 23 00:00:50 2009        (r190301)
@@ -1085,7 +1085,8 @@ itimer_find(struct proc *p, int timerid)
        struct itimer *it;
 
        PROC_LOCK_ASSERT(p, MA_OWNED);
-       if ((p->p_itimers == NULL) || (timerid >= TIMER_MAX) ||
+       if ((p->p_itimers == NULL) ||
+           (timerid < 0) || (timerid >= TIMER_MAX) ||
            (it = p->p_itimers->its_timers[timerid]) == NULL) {
                return (NULL);
        }
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to