diff options
author | sbruno <sbruno@FreeBSD.org> | 2016-07-22 03:09:47 +0000 |
---|---|---|
committer | sbruno <sbruno@FreeBSD.org> | 2016-07-22 03:09:47 +0000 |
commit | d26ee5186f346d81c40513713215d140ffa3a30f (patch) | |
tree | e20a8c2d2b629ad358b7ddb699a83e0d6a48566d | |
parent | 12a626dd41e19152d56e21bc82f39feb921c3cfb (diff) | |
download | FreeBSD-src-d26ee5186f346d81c40513713215d140ffa3a30f.zip FreeBSD-src-d26ee5186f346d81c40513713215d140ffa3a30f.tar.gz |
MFC r298351
Avoid a possible heap overflow in our nlm code by limiting the number
of service to the arbitrary value of 256. Log an appropriate message
that indicates the hard limit.
-rw-r--r-- | sys/nlm/nlm_prot_impl.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/sys/nlm/nlm_prot_impl.c b/sys/nlm/nlm_prot_impl.c index 74fae87..915538b 100644 --- a/sys/nlm/nlm_prot_impl.c +++ b/sys/nlm/nlm_prot_impl.c @@ -1439,6 +1439,12 @@ nlm_register_services(SVCPOOL *pool, int addr_count, char **addrs) return (EINVAL); } + if (addr_count < 0 || addr_count > 256 ) { + NLM_ERR("NLM: too many service addresses (%d) given, " + "max 256 - can't start server\n", addr_count); + return (EINVAL); + } + xprts = malloc(addr_count * sizeof(SVCXPRT *), M_NLM, M_WAITOK|M_ZERO); for (i = 0; i < version_count; i++) { for (j = 0; j < addr_count; j++) { |