Add bounds checking to stackgap_alloc. Previously it was possible

to construct a path that was long enough (ie longer than SPARE_USRSPACE bytes) and trash the stack. Note that SPARE_USRSPACE is much smaller than MAXPATHLEN so that the Linuxulator will now return ENAMETOOLONG even if the path is smaller than MAXPATHLEN. PR: 12749
author: marcel <marcel@FreeBSD.org> 2000-07-23 16:54:18 +0000
committer: marcel <marcel@FreeBSD.org> 2000-07-23 16:54:18 +0000
commit: a069944f46211cf481f1414ec35e8e264169f6f2 (patch)
tree: 49112d177fe8ca7bbe4a30d621fca616e31f7195 /sys/compat/linux/linux_misc.c
parent: 232803be5c159e6ffdab510c966bf2f5c001a490 (diff)
download: FreeBSD-src-a069944f46211cf481f1414ec35e8e264169f6f2.zip
FreeBSD-src-a069944f46211cf481f1414ec35e8e264169f6f2.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/sys/compat/linux/linux_misc.c b/sys/compat/linux/linux_misc.c
index 1adea54..dcbff98 100644
--- a/sys/compat/linux/linux_misc.c
+++ b/sys/compat/linux/linux_misc.c
@@ -954,6 +954,8 @@ linux_utime(struct proc *p, struct linux_utime_args *args)
 	tv[1].tv_usec = 0;
 	/* so that utimes can copyin */
 	tvp = (struct timeval *)stackgap_alloc(&sg, sizeof(tv));
+	if (tvp == NULL)
+		return (ENAMETOOLONG);
 	if ((error = copyout(tv, tvp, sizeof(tv))))
 	    return error;
 	bsdutimes.tptr = tvp;
author	marcel <marcel@FreeBSD.org>	2000-07-23 16:54:18 +0000
committer	marcel <marcel@FreeBSD.org>	2000-07-23 16:54:18 +0000
commit	a069944f46211cf481f1414ec35e8e264169f6f2 (patch)
tree	49112d177fe8ca7bbe4a30d621fca616e31f7195 /sys/compat/linux/linux_misc.c
parent	232803be5c159e6ffdab510c966bf2f5c001a490 (diff)
download	FreeBSD-src-a069944f46211cf481f1414ec35e8e264169f6f2.zip FreeBSD-src-a069944f46211cf481f1414ec35e8e264169f6f2.tar.gz