diff options
author | tjr <tjr@FreeBSD.org> | 2003-10-12 04:25:26 +0000 |
---|---|---|
committer | tjr <tjr@FreeBSD.org> | 2003-10-12 04:25:26 +0000 |
commit | b952d3fda36bfd8f96a2152c63ce386caab79def (patch) | |
tree | 2cbe2e22e1145e6680f02fd0c9c0f0bf6b4004d9 /sys/i386/ibcs2/ibcs2_util.h | |
parent | fef194d740bdc3a139dcc3c56e8cfd55261dc308 (diff) | |
download | FreeBSD-src-b952d3fda36bfd8f96a2152c63ce386caab79def.zip FreeBSD-src-b952d3fda36bfd8f96a2152c63ce386caab79def.tar.gz |
Fix a multitude of security bugs in the iBCS2 emulator:
- Return NULL instead of returning memory outside of the stackgap
in stackgap_alloc() (FreeBSD-SA-00:42.linux)
- Check for stackgap_alloc() returning NULL in ibcs2_emul_find();
other calls to stackgap_alloc() have not been changed since they
are small fixed-size allocations.
- Replace use of strcpy() with strlcpy() in exec_coff_imgact()
to avoid buffer overflow
- Use strlcat() instead of strcat() to avoid a one byte buffer
overflow in ibcs2_setipdomainname()
- Use copyinstr() instead of copyin() in ibcs2_setipdomainname()
to ensure that the string is null-terminated
- Avoid integer overflow in ibcs2_setgroups() and ibcs2_setgroups()
by checking that gidsetsize argument is non-negative and
no larger than NGROUPS_MAX.
- Range-check signal numbers in ibcs2_wait(), ibcs2_sigaction(),
ibcs2_sigsys() and ibcs2_kill() to avoid accessing array past
the end (or before the start)
Diffstat (limited to 'sys/i386/ibcs2/ibcs2_util.h')
-rw-r--r-- | sys/i386/ibcs2/ibcs2_util.h | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/sys/i386/ibcs2/ibcs2_util.h b/sys/i386/ibcs2/ibcs2_util.h index 7c26748..e95e50f 100644 --- a/sys/i386/ibcs2/ibcs2_util.h +++ b/sys/i386/ibcs2/ibcs2_util.h @@ -68,7 +68,10 @@ stackgap_alloc(sgp, sz) size_t sz; { void *p = (void *) *sgp; - *sgp += ALIGN(sz); + sz = ALIGN(sz); + if (*sgp + sz > (caddr_t)(PS_STRINGS - szsigcode)) + return NULL; + *sgp += sz; return p; } |