Author: sbruno
Date: Fri Apr 1 16:16:26 2016
New Revision: 297488
URL: https://svnweb.freebsd.org/changeset/base/297488
Log:
Repair a overflow condition where a user could submit a string that was
not getting a proper bounds check.
Thanks to CTurt for pointing at this with a big red blinking neon sign.
PR: 206761
Submitted by: sson
Reviewed by: ct...@hardenedbsd.org
MFC after: 3 days
Modified:
head/sys/kern/imgact_binmisc.c
Modified: head/sys/kern/imgact_binmisc.c
==============================================================================
--- head/sys/kern/imgact_binmisc.c Fri Apr 1 11:32:52 2016
(r297487)
+++ head/sys/kern/imgact_binmisc.c Fri Apr 1 16:16:26 2016
(r297488)
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2013-15, Stacey D. Son
+ * Copyright (c) 2013-16, Stacey D. Son
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -220,16 +220,17 @@ imgact_binmisc_add_entry(ximgact_binmisc
{
imgact_binmisc_entry_t *ibe;
char *p;
+ int cnt;
if (xbe->xbe_msize > IBE_MAGIC_MAX)
return (EINVAL);
- for(p = xbe->xbe_name; *p != 0; p++)
- if (!isascii((int)*p))
+ for(cnt = 0, p = xbe->xbe_name; *p != 0; cnt++, p++)
+ if (cnt >= IBE_NAME_MAX || !isascii((int)*p))
return (EINVAL);
- for(p = xbe->xbe_interpreter; *p != 0; p++)
- if (!isascii((int)*p))
+ for(cnt = 0, p = xbe->xbe_interpreter; *p != 0; cnt++, p++)
+ if (cnt >= IBE_INTERP_LEN_MAX || !isascii((int)*p))
return (EINVAL);
/* Make sure we don't have any invalid #'s. */
@@ -266,8 +267,6 @@ imgact_binmisc_add_entry(ximgact_binmisc
/* Preallocate a new entry. */
ibe = imgact_binmisc_new_entry(xbe);
- if (!ibe)
- return (ENOMEM);
SLIST_INSERT_HEAD(&interpreter_list, ibe, link);
interp_list_entry_count++;
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
