In init_dynamic_kenv(), ignore environment strings exceeding the

KENV_MNAMELEN + 1 + KENV_MVALLEN + 1 length limit to avoid buffer overflow in getenv(). Currenly loader(8) doesn't limit the length of environment strings. PR: kern/132104 MFC after: 1 month
author: jh <jh@FreeBSD.org> 2011-05-23 16:40:44 +0000
committer: jh <jh@FreeBSD.org> 2011-05-23 16:40:44 +0000
commit: fbe30c6e5ce0c364505ae499b72e7e18115f4e27 (patch)
tree: f2ff75166ac05ca8a8f1733cfff54c4febf48222 /sys/kern
parent: 79b3da72c27b9377d683dc80ab7340e913334d7b (diff)
download: FreeBSD-src-fbe30c6e5ce0c364505ae499b72e7e18115f4e27.zip
FreeBSD-src-fbe30c6e5ce0c364505ae499b72e7e18115f4e27.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/sys/kern/kern_environment.c b/sys/kern/kern_environment.c
index 41a9fa8..16760ce 100644
--- a/sys/kern/kern_environment.c
+++ b/sys/kern/kern_environment.c
@@ -225,13 +225,19 @@ static void
 init_dynamic_kenv(void *data __unused)
 {
 	char *cp;
-	int len, i;
+	size_t len;
+	int i;
 
 	kenvp = malloc((KENV_SIZE + 1) * sizeof(char *), M_KENV,
 		M_WAITOK | M_ZERO);
 	i = 0;
 	for (cp = kern_envp; cp != NULL; cp = kernenv_next(cp)) {
 		len = strlen(cp) + 1;
+		if (len > KENV_MNAMELEN + 1 + KENV_MVALLEN + 1) {
+			printf("WARNING: too long kenv string, ignoring %s\n",
+			    cp);
+			continue;
+		}
 		if (i < KENV_SIZE) {
 			kenvp[i] = malloc(len, M_KENV, M_WAITOK);
 			strcpy(kenvp[i++], cp);
author	jh <jh@FreeBSD.org>	2011-05-23 16:40:44 +0000
committer	jh <jh@FreeBSD.org>	2011-05-23 16:40:44 +0000
commit	fbe30c6e5ce0c364505ae499b72e7e18115f4e27 (patch)
tree	f2ff75166ac05ca8a8f1733cfff54c4febf48222 /sys/kern
parent	79b3da72c27b9377d683dc80ab7340e913334d7b (diff)
download	FreeBSD-src-fbe30c6e5ce0c364505ae499b72e7e18115f4e27.zip FreeBSD-src-fbe30c6e5ce0c364505ae499b72e7e18115f4e27.tar.gz