diff options
author | tjr <tjr@FreeBSD.org> | 2003-10-12 04:25:26 +0000 |
---|---|---|
committer | tjr <tjr@FreeBSD.org> | 2003-10-12 04:25:26 +0000 |
commit | b952d3fda36bfd8f96a2152c63ce386caab79def (patch) | |
tree | 2cbe2e22e1145e6680f02fd0c9c0f0bf6b4004d9 /release/doc/ja_JP.eucJP | |
parent | fef194d740bdc3a139dcc3c56e8cfd55261dc308 (diff) | |
download | FreeBSD-src-b952d3fda36bfd8f96a2152c63ce386caab79def.zip FreeBSD-src-b952d3fda36bfd8f96a2152c63ce386caab79def.tar.gz |
Fix a multitude of security bugs in the iBCS2 emulator:
- Return NULL instead of returning memory outside of the stackgap
in stackgap_alloc() (FreeBSD-SA-00:42.linux)
- Check for stackgap_alloc() returning NULL in ibcs2_emul_find();
other calls to stackgap_alloc() have not been changed since they
are small fixed-size allocations.
- Replace use of strcpy() with strlcpy() in exec_coff_imgact()
to avoid buffer overflow
- Use strlcat() instead of strcat() to avoid a one byte buffer
overflow in ibcs2_setipdomainname()
- Use copyinstr() instead of copyin() in ibcs2_setipdomainname()
to ensure that the string is null-terminated
- Avoid integer overflow in ibcs2_setgroups() and ibcs2_setgroups()
by checking that gidsetsize argument is non-negative and
no larger than NGROUPS_MAX.
- Range-check signal numbers in ibcs2_wait(), ibcs2_sigaction(),
ibcs2_sigsys() and ibcs2_kill() to avoid accessing array past
the end (or before the start)
Diffstat (limited to 'release/doc/ja_JP.eucJP')
0 files changed, 0 insertions, 0 deletions