Enforce upper bound on the input buffer length.

Reported by: Mateusz Guzik
author: trasz <trasz@FreeBSD.org> 2012-04-17 13:28:14 +0000
committer: trasz <trasz@FreeBSD.org> 2012-04-17 13:28:14 +0000
commit: c37ffba90af74bab6612174c69103ae8a647988a (patch)
tree: 208e734a864fc5aa19e7f2ace891d57d72d91af7 /sys/kern/kern_rctl.c
parent: ef881c3335e928604952cacde8c36cdc46fe1f72 (diff)
download: FreeBSD-src-c37ffba90af74bab6612174c69103ae8a647988a.zip
FreeBSD-src-c37ffba90af74bab6612174c69103ae8a647988a.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/sys/kern/kern_rctl.c b/sys/kern/kern_rctl.c
index aaea7d5..883fa30 100644
--- a/sys/kern/kern_rctl.c
+++ b/sys/kern/kern_rctl.c
@@ -73,6 +73,7 @@ FEATURE(rctl, "Resource Limits");
 
 /* Default buffer size for rctl_get_rules(2). */
 #define	RCTL_DEFAULT_BUFSIZE	4096
+#define	RCTL_MAX_INBUFLEN	4096
 #define	RCTL_LOG_BUFSIZE	128
 
 /*
@@ -1191,6 +1192,8 @@ rctl_read_inbuf(char **inputstr, const char *inbufp, size_t inbuflen)
 
 	if (inbuflen <= 0)
 		return (EINVAL);
+	if (inbuflen > RCTL_MAX_INBUFLEN)
+		return (E2BIG);
 
 	str = malloc(inbuflen + 1, M_RCTL, M_WAITOK);
 	error = copyinstr(inbufp, str, inbuflen, NULL);
author	trasz <trasz@FreeBSD.org>	2012-04-17 13:28:14 +0000
committer	trasz <trasz@FreeBSD.org>	2012-04-17 13:28:14 +0000
commit	c37ffba90af74bab6612174c69103ae8a647988a (patch)
tree	208e734a864fc5aa19e7f2ace891d57d72d91af7 /sys/kern/kern_rctl.c
parent	ef881c3335e928604952cacde8c36cdc46fe1f72 (diff)
download	FreeBSD-src-c37ffba90af74bab6612174c69103ae8a647988a.zip FreeBSD-src-c37ffba90af74bab6612174c69103ae8a647988a.tar.gz