diff options
author | pjd <pjd@FreeBSD.org> | 2005-06-11 14:58:20 +0000 |
---|---|---|
committer | pjd <pjd@FreeBSD.org> | 2005-06-11 14:58:20 +0000 |
commit | be79126844179d84dda297cece04bb6d2462eb03 (patch) | |
tree | ba08cbe1479ab6475a323dcd20c59c880dafee4d /sys/compat | |
parent | e5e29d142df527fb60c2bf5787693048c03ccd91 (diff) | |
download | FreeBSD-src-be79126844179d84dda297cece04bb6d2462eb03.zip FreeBSD-src-be79126844179d84dda297cece04bb6d2462eb03.tar.gz |
Do not allocate memory based on not-checked argument from userland.
It can be used to panic the kernel by giving too big value.
Fix it by moving allocation and size verification into kern_getfsstat().
This even simplifies kern_getfsstat() consumers, but destroys symmetry -
memory is allocated inside kern_getfsstat(), but has to be freed by the
caller.
Found by: FreeBSD Kernel Stress Test Suite: http://www.holm.cc/stress/
Reported by: Peter Holm <peter@holm.cc>
Diffstat (limited to 'sys/compat')
-rw-r--r-- | sys/compat/freebsd32/freebsd32_misc.c | 8 |
1 files changed, 2 insertions, 6 deletions
diff --git a/sys/compat/freebsd32/freebsd32_misc.c b/sys/compat/freebsd32/freebsd32_misc.c index 1c003a0..ae61fbd 100644 --- a/sys/compat/freebsd32/freebsd32_misc.c +++ b/sys/compat/freebsd32/freebsd32_misc.c @@ -163,12 +163,8 @@ freebsd4_freebsd32_getfsstat(struct thread *td, struct freebsd4_freebsd32_getfss count = uap->bufsize / sizeof(struct statfs32); size = count * sizeof(struct statfs); - if (size > 0) - buf = malloc(size, M_TEMP, M_WAITOK); - else - buf = NULL; - error = kern_getfsstat(td, buf, size, UIO_SYSSPACE, uap->flags); - if (buf != NULL) { + error = kern_getfsstat(td, &buf, size, UIO_SYSSPACE, uap->flags); + if (size > 0) { count = td->td_retval[0]; sp = buf; while (count > 0 && error == 0) { |