diff options
| author | das <das@FreeBSD.org> | 2005-03-23 08:28:06 +0000 |
|---|---|---|
| committer | das <das@FreeBSD.org> | 2005-03-23 08:28:06 +0000 |
| commit | 6a2a1d94925dc84b521020f8748ebfb0bdea14d1 (patch) | |
| tree | 59846dbd5ab7c9984ce4f0a5b7ba05c7aeb2fd17 | |
| parent | d1fb7b8c2ae75f2a9c1997d2f4259a50b7d80512 (diff) | |
| download | FreeBSD-src-6a2a1d94925dc84b521020f8748ebfb0bdea14d1.zip FreeBSD-src-6a2a1d94925dc84b521020f8748ebfb0bdea14d1.tar.gz | |
Bounds check the user-supplied length used in a copyout() in
svr4_do_getmsg(). In principle this bug could disclose data from
kernel memory, but in practice, the SVR4 emulation layer is probably
not functional enough to cause the relevant code path to be executed.
In any case, the emulator has been disconnected from the build since
5.0-RELEASE.
Found by: Coverity Prevent analysis tool
| -rw-r--r-- | sys/compat/svr4/svr4_stream.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/sys/compat/svr4/svr4_stream.c b/sys/compat/svr4/svr4_stream.c index 68bdf7c..e11c84c 100644 --- a/sys/compat/svr4/svr4_stream.c +++ b/sys/compat/svr4/svr4_stream.c @@ -2226,6 +2226,8 @@ svr4_do_getmsg(td, uap, fp) } if (uap->ctl) { + if (ctl.len > sizeof(sc)) + ctl.len = sizeof(sc); if (ctl.len != -1) if ((error = copyout(&sc, ctl.buf, ctl.len)) != 0) return error; |
