diff options
author | jesper <jesper@FreeBSD.org> | 2001-05-27 23:26:11 +0000 |
---|---|---|
committer | jesper <jesper@FreeBSD.org> | 2001-05-27 23:26:11 +0000 |
commit | f3057f716004cf620c347c39a6ead15f43828661 (patch) | |
tree | 7f6162448136a1adec621809d004cef80769b109 /sys/boot | |
parent | 154e92fce6e2492cbf37af0695f1589c91459049 (diff) | |
download | FreeBSD-src-f3057f716004cf620c347c39a6ead15f43828661.zip FreeBSD-src-f3057f716004cf620c347c39a6ead15f43828661.tar.gz |
In sys/boot/common/module.c, near line 105 a request for a raw
file is processed by passing its name in argv[1]:
return(mod_loadobj(typestr, argv[1]));
however, it is not tested to see if argv[1] actually is defined.
At best, mod_loadobj() near line 244 returns an error like
"can't find 'garbage'" but if the "filename" entered is sufficiently
long, some buffer gets overrun. Of course, "load -t filename" is
actually a typo because we meant to type "load -t mfs_root filename";
nevertheless, a hung machine seems like too harsh a punishment for
such a small typo...
PR: i386/27693
Submitted by: Adrian Steinmann <ast@marabu.ch>
MFC after: 1 week
Diffstat (limited to 'sys/boot')
-rw-r--r-- | sys/boot/common/module.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/boot/common/module.c b/sys/boot/common/module.c index 3bcc3e4..343ca8d 100644 --- a/sys/boot/common/module.c +++ b/sys/boot/common/module.c @@ -100,7 +100,7 @@ command_load(int argc, char *argv[]) * Request to load a raw file? */ if (dofile) { - if ((typestr == NULL) || (*typestr == 0)) { + if (argc != 2 || (typestr == NULL) || (*typestr == 0)) { command_errmsg = "invalid load type"; return(CMD_ERROR); } |