diff options
author | tjr <tjr@FreeBSD.org> | 2003-10-12 04:25:26 +0000 |
---|---|---|
committer | tjr <tjr@FreeBSD.org> | 2003-10-12 04:25:26 +0000 |
commit | b952d3fda36bfd8f96a2152c63ce386caab79def (patch) | |
tree | 2cbe2e22e1145e6680f02fd0c9c0f0bf6b4004d9 /sys/i386/ibcs2/ibcs2_signal.c | |
parent | fef194d740bdc3a139dcc3c56e8cfd55261dc308 (diff) | |
download | FreeBSD-src-b952d3fda36bfd8f96a2152c63ce386caab79def.zip FreeBSD-src-b952d3fda36bfd8f96a2152c63ce386caab79def.tar.gz |
Fix a multitude of security bugs in the iBCS2 emulator:
- Return NULL instead of returning memory outside of the stackgap
in stackgap_alloc() (FreeBSD-SA-00:42.linux)
- Check for stackgap_alloc() returning NULL in ibcs2_emul_find();
other calls to stackgap_alloc() have not been changed since they
are small fixed-size allocations.
- Replace use of strcpy() with strlcpy() in exec_coff_imgact()
to avoid buffer overflow
- Use strlcat() instead of strcat() to avoid a one byte buffer
overflow in ibcs2_setipdomainname()
- Use copyinstr() instead of copyin() in ibcs2_setipdomainname()
to ensure that the string is null-terminated
- Avoid integer overflow in ibcs2_setgroups() and ibcs2_setgroups()
by checking that gidsetsize argument is non-negative and
no larger than NGROUPS_MAX.
- Range-check signal numbers in ibcs2_wait(), ibcs2_sigaction(),
ibcs2_sigsys() and ibcs2_kill() to avoid accessing array past
the end (or before the start)
Diffstat (limited to 'sys/i386/ibcs2/ibcs2_signal.c')
-rw-r--r-- | sys/i386/ibcs2/ibcs2_signal.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/sys/i386/ibcs2/ibcs2_signal.c b/sys/i386/ibcs2/ibcs2_signal.c index c22831a..6a4b9e4 100644 --- a/sys/i386/ibcs2/ibcs2_signal.c +++ b/sys/i386/ibcs2/ibcs2_signal.c @@ -206,6 +206,8 @@ ibcs2_sigaction(td, uap) nbsap = &nbsa; } else nbsap = NULL; + if (uap->sig <= 0 || uap->sig > IBCS2_NSIG) + return (EINVAL); error = kern_sigaction(td, ibcs2_to_bsd_sig[_SIG_IDX(uap->sig)], &nbsa, &obsa, 0); if (error == 0 && uap->oact != NULL) { @@ -222,15 +224,16 @@ ibcs2_sigsys(td, uap) { struct proc *p = td->td_proc; struct sigaction sa; - int signum = ibcs2_to_bsd_sig[_SIG_IDX(IBCS2_SIGNO(uap->sig))]; + int signum = IBCS2_SIGNO(uap->sig); int error; - if (signum <= 0 || signum >= IBCS2_NSIG) { + if (signum <= 0 || signum > IBCS2_NSIG) { if (IBCS2_SIGCALL(uap->sig) == IBCS2_SIGNAL_MASK || IBCS2_SIGCALL(uap->sig) == IBCS2_SIGSET_MASK) td->td_retval[0] = (int)IBCS2_SIG_ERR; return EINVAL; } + signum = ibcs2_to_bsd_sig[_SIG_IDX(signum)]; switch (IBCS2_SIGCALL(uap->sig)) { case IBCS2_SIGSET_MASK: @@ -430,6 +433,8 @@ ibcs2_kill(td, uap) { struct kill_args ka; + if (uap->signo <= 0 || uap->signo > IBCS2_NSIG) + return (EINVAL); ka.pid = uap->pid; ka.signum = ibcs2_to_bsd_sig[_SIG_IDX(uap->signo)]; return kill(td, &ka); |