diff options
| author | sbruno <sbruno@FreeBSD.org> | 2016-04-05 18:27:47 +0000 |
|---|---|---|
| committer | sbruno <sbruno@FreeBSD.org> | 2016-04-05 18:27:47 +0000 |
| commit | ec0d763b35ddfe982d7db44b3a1b0ba72d77a464 (patch) | |
| tree | 15e09e6fc1ec67ec1c2df0ea686bd5236e0bca77 /sys/kern | |
| parent | ed9af0cb98e2ac2c7abfa90a354d37982bfc7acc (diff) | |
| download | FreeBSD-src-ec0d763b35ddfe982d7db44b3a1b0ba72d77a464.zip FreeBSD-src-ec0d763b35ddfe982d7db44b3a1b0ba72d77a464.tar.gz | |
MFC r297488
Repair an overflow condition where a user could submit a string that was
not getting a proper bounds check.
PR: 206761
Submitted by: sson
Reviewed by: cturt@hardenedbsd.org
Diffstat (limited to 'sys/kern')
| -rw-r--r-- | sys/kern/imgact_binmisc.c | 15 |
1 files changed, 7 insertions, 8 deletions
diff --git a/sys/kern/imgact_binmisc.c b/sys/kern/imgact_binmisc.c index 5f324d3..5712838 100644 --- a/sys/kern/imgact_binmisc.c +++ b/sys/kern/imgact_binmisc.c @@ -1,5 +1,5 @@ -/*- - * Copyright (c) 2013, Stacey D. Son +/* + * Copyright (c) 2013-16, Stacey D. Son * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -222,16 +222,17 @@ imgact_binmisc_add_entry(ximgact_binmisc_entry_t *xbe) { imgact_binmisc_entry_t *ibe; char *p; + int cnt; if (xbe->xbe_msize > IBE_MAGIC_MAX) return (EINVAL); - for(p = xbe->xbe_name; *p != 0; p++) - if (!isascii((int)*p)) + for(cnt = 0, p = xbe->xbe_name; *p != 0; cnt++, p++) + if (cnt >= IBE_NAME_MAX || !isascii((int)*p)) return (EINVAL); - for(p = xbe->xbe_interpreter; *p != 0; p++) - if (!isascii((int)*p)) + for(cnt = 0, p = xbe->xbe_interpreter; *p != 0; cnt++, p++) + if (cnt >= IBE_INTERP_LEN_MAX || !isascii((int)*p)) return (EINVAL); /* Make sure we don't have any invalid #'s. */ @@ -268,8 +269,6 @@ imgact_binmisc_add_entry(ximgact_binmisc_entry_t *xbe) mtx_unlock(&interp_list_mtx); ibe = imgact_binmisc_new_entry(xbe); - if (!ibe) - return (ENOMEM); mtx_lock(&interp_list_mtx); SLIST_INSERT_HEAD(&interpreter_list, ibe, link); |
