diff options
author | tjr <tjr@FreeBSD.org> | 2003-10-20 10:38:48 +0000 |
---|---|---|
committer | tjr <tjr@FreeBSD.org> | 2003-10-20 10:38:48 +0000 |
commit | f2b3ceb410d51e658a31ff42364fdb5ba4807050 (patch) | |
tree | d4a477c513a3c9cad3f7adde8a226d844b78f56e /sys/compat/svr4/svr4_signal.c | |
parent | 44cdfe0ed80ea7f0bf415c4ab952824c8e9d873f (diff) | |
download | FreeBSD-src-f2b3ceb410d51e658a31ff42364fdb5ba4807050.zip FreeBSD-src-f2b3ceb410d51e658a31ff42364fdb5ba4807050.tar.gz |
Fix some security bugs in the SVR4 emulator:
- Return NULL instead of returning memory outside of the stackgap
in stackgap_alloc() (FreeBSD-SA-00:42.linux)
- Check for stackgap_alloc() returning NULL in svr4_emul_find(),
and clean_pipe().
- Avoid integer overflow on large nfds argument in svr4_sys_poll()
- Reject negative nbytes argument in svr4_sys_getdents()
- Don't copy out past the end of the struct componentname
pathname buffer in svr4_sys_resolvepath()
- Reject out-of-range signal numbers in svr4_sys_sigaction(),
svr4_sys_signal(), and svr4_sys_kill().
- Don't malloc() user-specified lengths in show_ioc() and
show_strbuf(), place arbitrary limits instead.
- Range-check lengths in si_listen(), ti_getinfo(), ti_bind(),
svr4_do_putmsg(), svr4_do_getmsg(), svr4_stream_ti_ioctl().
Some fixes obtain from OpenBSD.
Diffstat (limited to 'sys/compat/svr4/svr4_signal.c')
-rw-r--r-- | sys/compat/svr4/svr4_signal.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/sys/compat/svr4/svr4_signal.c b/sys/compat/svr4/svr4_signal.c index f1d2769..dc6af50 100644 --- a/sys/compat/svr4/svr4_signal.c +++ b/sys/compat/svr4/svr4_signal.c @@ -269,6 +269,9 @@ svr4_sys_sigaction(td, uap) struct sigaction *nbsap; int error; + if (uap->signum < 0 || uap->signum >= SVR4_NSIG) + return (EINVAL); + DPRINTF(("@@@ svr4_sys_sigaction(%d, %d, %d)\n", td->td_proc->p_pid, uap->signum, SVR4_SVR42BSD_SIG(uap->signum))); @@ -337,9 +340,14 @@ svr4_sys_signal(td, uap) p = td->td_proc; DPRINTF(("@@@ svr4_sys_signal(%d)\n", p->p_pid)); - signum = SVR4_SVR42BSD_SIG(SVR4_SIGNO(uap->signum)); - if (signum <= 0 || signum > SVR4_NSIG) + signum = SVR4_SIGNO(uap->signum); + if (signum < 0 || signum >= SVR4_NSIG) { + if (SVR4_SIGCALL(uap->signum) == SVR4_SIGNAL_MASK || + SVR4_SIGCALL(uap->signum) == SVR4_SIGDEFER_MASK) + td->td_retval[0] = (int)SVR4_SIG_ERR; return (EINVAL); + } + signum = SVR4_SVR42BSD_SIG(signum); switch (SVR4_SIGCALL(uap->signum)) { case SVR4_SIGDEFER_MASK: @@ -509,6 +517,8 @@ svr4_sys_kill(td, uap) { struct kill_args ka; + if (uap->signum < 0 || uap->signum >= SVR4_NSIG) + return (EINVAL); ka.pid = uap->pid; ka.signum = SVR4_SVR42BSD_SIG(uap->signum); return kill(td, &ka); |