diff options
author | trasz <trasz@FreeBSD.org> | 2012-04-17 13:28:14 +0000 |
---|---|---|
committer | trasz <trasz@FreeBSD.org> | 2012-04-17 13:28:14 +0000 |
commit | c37ffba90af74bab6612174c69103ae8a647988a (patch) | |
tree | 208e734a864fc5aa19e7f2ace891d57d72d91af7 /sys/kern/kern_rctl.c | |
parent | ef881c3335e928604952cacde8c36cdc46fe1f72 (diff) | |
download | FreeBSD-src-c37ffba90af74bab6612174c69103ae8a647988a.zip FreeBSD-src-c37ffba90af74bab6612174c69103ae8a647988a.tar.gz |
Enforce upper bound on the input buffer length.
Reported by: Mateusz Guzik
Diffstat (limited to 'sys/kern/kern_rctl.c')
-rw-r--r-- | sys/kern/kern_rctl.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/sys/kern/kern_rctl.c b/sys/kern/kern_rctl.c index aaea7d5..883fa30 100644 --- a/sys/kern/kern_rctl.c +++ b/sys/kern/kern_rctl.c @@ -73,6 +73,7 @@ FEATURE(rctl, "Resource Limits"); /* Default buffer size for rctl_get_rules(2). */ #define RCTL_DEFAULT_BUFSIZE 4096 +#define RCTL_MAX_INBUFLEN 4096 #define RCTL_LOG_BUFSIZE 128 /* @@ -1191,6 +1192,8 @@ rctl_read_inbuf(char **inputstr, const char *inbufp, size_t inbuflen) if (inbuflen <= 0) return (EINVAL); + if (inbuflen > RCTL_MAX_INBUFLEN) + return (E2BIG); str = malloc(inbuflen + 1, M_RCTL, M_WAITOK); error = copyinstr(inbufp, str, inbuflen, NULL); |