From 6a2a1d94925dc84b521020f8748ebfb0bdea14d1 Mon Sep 17 00:00:00 2001 From: das Date: Wed, 23 Mar 2005 08:28:06 +0000 Subject: Bounds check the user-supplied length used in a copyout() in svr4_do_getmsg(). In principle this bug could disclose data from kernel memory, but in practice, the SVR4 emulation layer is probably not functional enough to cause the relevant code path to be executed. In any case, the emulator has been disconnected from the build since 5.0-RELEASE. Found by: Coverity Prevent analysis tool --- sys/compat/svr4/svr4_stream.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sys/compat/svr4/svr4_stream.c b/sys/compat/svr4/svr4_stream.c index 68bdf7c..e11c84c 100644 --- a/sys/compat/svr4/svr4_stream.c +++ b/sys/compat/svr4/svr4_stream.c @@ -2226,6 +2226,8 @@ svr4_do_getmsg(td, uap, fp) } if (uap->ctl) { + if (ctl.len > sizeof(sc)) + ctl.len = sizeof(sc); if (ctl.len != -1) if ((error = copyout(&sc, ctl.buf, ctl.len)) != 0) return error; -- cgit v1.1