Avoid a possible heap overflow in our nlm code by limiting the number

of service to the arbitrary value of 256. Log an appropriate message that indicates the hard limit. PR: 208808 Submitted by: cturt@hardenedbsd.org Reviewed by: dfr Obtained from: HardenedBSD MFC after: 2 weeks
author: sbruno <sbruno@FreeBSD.org> 2016-04-20 15:31:03 +0000
committer: sbruno <sbruno@FreeBSD.org> 2016-04-20 15:31:03 +0000
commit: b09e37ef6cc1ad2e74a185000ee99cee5da7e798 (patch)
tree: 503fcf5f4bc9eb5d9efce71a567aad9f916059a6 /sys
parent: f0c0089228967af0eaf831f716f8b04f7ade6c75 (diff)
download: FreeBSD-src-b09e37ef6cc1ad2e74a185000ee99cee5da7e798.zip
FreeBSD-src-b09e37ef6cc1ad2e74a185000ee99cee5da7e798.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/sys/nlm/nlm_prot_impl.c b/sys/nlm/nlm_prot_impl.c
index 5f20206..28a618a 100644
--- a/sys/nlm/nlm_prot_impl.c
+++ b/sys/nlm/nlm_prot_impl.c
@@ -1439,6 +1439,12 @@ nlm_register_services(SVCPOOL *pool, int addr_count, char **addrs)
 		return (EINVAL);
 	}
 
+	if (addr_count < 0 || addr_count > 256 ) {
+		NLM_ERR("NLM:  too many service addresses (%d) given, "
+		    "max 256 - can't start server\n", addr_count);
+		return (EINVAL);
+	}
+
 	xprts = malloc(addr_count * sizeof(SVCXPRT *), M_NLM, M_WAITOK|M_ZERO);
 	for (i = 0; i < version_count; i++) {
 		for (j = 0; j < addr_count; j++) {
author	sbruno <sbruno@FreeBSD.org>	2016-04-20 15:31:03 +0000
committer	sbruno <sbruno@FreeBSD.org>	2016-04-20 15:31:03 +0000
commit	b09e37ef6cc1ad2e74a185000ee99cee5da7e798 (patch)
tree	503fcf5f4bc9eb5d9efce71a567aad9f916059a6 /sys
parent	f0c0089228967af0eaf831f716f8b04f7ade6c75 (diff)
download	FreeBSD-src-b09e37ef6cc1ad2e74a185000ee99cee5da7e798.zip FreeBSD-src-b09e37ef6cc1ad2e74a185000ee99cee5da7e798.tar.gz