diff options
author | tjr <tjr@FreeBSD.org> | 2003-10-20 10:38:48 +0000 |
---|---|---|
committer | tjr <tjr@FreeBSD.org> | 2003-10-20 10:38:48 +0000 |
commit | f2b3ceb410d51e658a31ff42364fdb5ba4807050 (patch) | |
tree | d4a477c513a3c9cad3f7adde8a226d844b78f56e /sys/compat/svr4/svr4_filio.c | |
parent | 44cdfe0ed80ea7f0bf415c4ab952824c8e9d873f (diff) | |
download | FreeBSD-src-f2b3ceb410d51e658a31ff42364fdb5ba4807050.zip FreeBSD-src-f2b3ceb410d51e658a31ff42364fdb5ba4807050.tar.gz |
Fix some security bugs in the SVR4 emulator:
- Return NULL instead of returning memory outside of the stackgap
in stackgap_alloc() (FreeBSD-SA-00:42.linux)
- Check for stackgap_alloc() returning NULL in svr4_emul_find(),
and clean_pipe().
- Avoid integer overflow on large nfds argument in svr4_sys_poll()
- Reject negative nbytes argument in svr4_sys_getdents()
- Don't copy out past the end of the struct componentname
pathname buffer in svr4_sys_resolvepath()
- Reject out-of-range signal numbers in svr4_sys_sigaction(),
svr4_sys_signal(), and svr4_sys_kill().
- Don't malloc() user-specified lengths in show_ioc() and
show_strbuf(), place arbitrary limits instead.
- Range-check lengths in si_listen(), ti_getinfo(), ti_bind(),
svr4_do_putmsg(), svr4_do_getmsg(), svr4_stream_ti_ioctl().
Some fixes obtain from OpenBSD.
Diffstat (limited to 'sys/compat/svr4/svr4_filio.c')
-rw-r--r-- | sys/compat/svr4/svr4_filio.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/sys/compat/svr4/svr4_filio.c b/sys/compat/svr4/svr4_filio.c index 3b4467a..79b9bf4 100644 --- a/sys/compat/svr4/svr4_filio.c +++ b/sys/compat/svr4/svr4_filio.c @@ -40,6 +40,8 @@ __FBSDID("$FreeBSD$"); #include <sys/poll.h> #include <sys/malloc.h> #include <sys/mutex.h> +#include <sys/resource.h> +#include <sys/resourcevar.h> #include <sys/sysproto.h> @@ -64,6 +66,11 @@ svr4_sys_poll(td, uap) int idx = 0, cerr; u_long siz; + mtx_assert(&Giant, MA_OWNED); + if (uap->nfds > td->td_proc->p_rlimit[RLIMIT_NOFILE].rlim_cur && + uap->nfds > FD_SETSIZE) + return (EINVAL); + pa.fds = uap->fds; pa.nfds = uap->nfds; pa.timeout = uap->timeout; |