From ebbf4e4bde2322b38bffad4a30b6d9e09942fc21 Mon Sep 17 00:00:00 2001
From: cperciva <cperciva@FreeBSD.org>
Date: Wed, 1 Dec 2004 21:33:02 +0000
Subject: Fix unvalidated pointer dereference.  This is
 FreeBSD-SA-04:17.procfs.

---
 sys/compat/linprocfs/linprocfs.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

(limited to 'sys/compat/linprocfs')

diff --git a/sys/compat/linprocfs/linprocfs.c b/sys/compat/linprocfs/linprocfs.c
index 95cebb4..591ba6d 100644
--- a/sys/compat/linprocfs/linprocfs.c
+++ b/sys/compat/linprocfs/linprocfs.c
@@ -769,6 +769,7 @@ static int
 linprocfs_doproccmdline(PFS_FILL_ARGS)
 {
 	struct ps_strings pstr;
+	char **ps_argvstr;
 	int error, i;
 
 	/*
@@ -794,10 +795,21 @@ linprocfs_doproccmdline(PFS_FILL_ARGS)
 		    sizeof(pstr));
 		if (error)
 			return (error);
+		if (pstr.ps_nargvstr > ARG_MAX)
+			return (E2BIG);
+		ps_argvstr = malloc(pstr.ps_nargvstr * sizeof(char *),
+		    M_TEMP, M_WAITOK);
+		error = copyin((void *)pstr.ps_argvstr, ps_argvstr,
+		    pstr.ps_nargvstr * sizeof(char *));
+		if (error) {
+			free(ps_argvstr, M_TEMP);
+			return (error);
+		}
 		for (i = 0; i < pstr.ps_nargvstr; i++) {
-			sbuf_copyin(sb, pstr.ps_argvstr[i], 0);
+			sbuf_copyin(sb, ps_argvstr[i], 0);
 			sbuf_printf(sb, "%c", '\0');
 		}
+		free(ps_argvstr, M_TEMP);
 	}
 
 	return (0);
-- 
cgit v1.1