Add bounds checking to stackgap_alloc. Previously it was possible

to construct a path that was long enough (ie longer than SPARE_USRSPACE bytes) and trash the stack. Note that SPARE_USRSPACE is much smaller than MAXPATHLEN so that the Linuxulator will now return ENAMETOOLONG even if the path is smaller than MAXPATHLEN. PR: 12749
author: marcel <marcel@FreeBSD.org> 2000-07-23 16:54:18 +0000
committer: marcel <marcel@FreeBSD.org> 2000-07-23 16:54:18 +0000
commit: a069944f46211cf481f1414ec35e8e264169f6f2 (patch)
tree: 49112d177fe8ca7bbe4a30d621fca616e31f7195 /sys/compat/linux/linux_util.c
parent: 232803be5c159e6ffdab510c966bf2f5c001a490 (diff)
download: FreeBSD-src-a069944f46211cf481f1414ec35e8e264169f6f2.zip
FreeBSD-src-a069944f46211cf481f1414ec35e8e264169f6f2.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/sys/compat/linux/linux_util.c b/sys/compat/linux/linux_util.c
index 8faf35e..e0ea0cb 100644
--- a/sys/compat/linux/linux_util.c
+++ b/sys/compat/linux/linux_util.c
@@ -162,7 +162,10 @@ linux_emul_find(p, sgp, prefix, path, pbuf, cflag)
 	else {
 		sz = &ptr[len] - buf;
 		*pbuf = stackgap_alloc(sgp, sz + 1);
-		error = copyout(buf, *pbuf, sz);
+		if (*pbuf != NULL)
+			error = copyout(buf, *pbuf, sz);
+		else
+			error = ENAMETOOLONG;
 		free(buf, M_TEMP);
 	}
author	marcel <marcel@FreeBSD.org>	2000-07-23 16:54:18 +0000
committer	marcel <marcel@FreeBSD.org>	2000-07-23 16:54:18 +0000
commit	a069944f46211cf481f1414ec35e8e264169f6f2 (patch)
tree	49112d177fe8ca7bbe4a30d621fca616e31f7195 /sys/compat/linux/linux_util.c
parent	232803be5c159e6ffdab510c966bf2f5c001a490 (diff)
download	FreeBSD-src-a069944f46211cf481f1414ec35e8e264169f6f2.zip FreeBSD-src-a069944f46211cf481f1414ec35e8e264169f6f2.tar.gz