From 02ed78af40e9703d08142808274ea75e23ef0119 Mon Sep 17 00:00:00 2001
From: jdp <jdp@FreeBSD.org>
Date: Sun, 11 Oct 1998 04:54:16 +0000
Subject: Fix a couple of out-of-bounds array references in mapping between
 Linux and FreeBSD signal numbers.  Also, check signal numbers passed in from
 application programs for validity.  Without these checks, it is trivial to
 panic the system from a Linux program.

---
 sys/compat/linux/linux_signal.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

(limited to 'sys/compat/linux/linux_signal.c')

diff --git a/sys/compat/linux/linux_signal.c b/sys/compat/linux/linux_signal.c
index b2cb996..481ed7f 100644
--- a/sys/compat/linux/linux_signal.c
+++ b/sys/compat/linux/linux_signal.c
@@ -25,7 +25,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- *  $Id: linux_signal.c,v 1.11 1998/07/29 16:43:00 bde Exp $
+ *  $Id: linux_signal.c,v 1.12 1998/08/15 22:29:43 bde Exp $
  */
 
 #include <sys/param.h>
@@ -43,7 +43,7 @@ linux_to_bsd_sigset(linux_sigset_t mask) {
     int b, l;
     sigset_t new = 0;
 
-    for (l = 1; l <= LINUX_NSIG; l++) {
+    for (l = 1; l < LINUX_NSIG; l++) {
 	if (mask & (1 << (l - 1))) {
 	    if ((b = linux_to_bsd_signal[l]))
 		new |= (1 << (b - 1));
@@ -57,7 +57,7 @@ bsd_to_linux_sigset(sigset_t mask) {
     int b, l;
     sigset_t new = 0;
 
-    for (b = 1; b <= NSIG; b++) {
+    for (b = 1; b < NSIG; b++) {
 	if (mask & (1 << (b - 1))) {
 	    if ((l = bsd_to_linux_signal[b]))
 		new |= (1 << (l - 1));
@@ -116,7 +116,8 @@ linux_sigaction(struct proc *p, struct linux_sigaction_args *args)
     printf("Linux-emul(%ld): sigaction(%d, %p, %p)\n",
 	(long)p->p_pid, args->sig, (void *)args->nsa, (void *)args->osa);
 #endif
-
+    if (args->sig <= 0 || args->sig >= LINUX_NSIG)
+	return EINVAL;
     if (args->osa)
 	osa = (struct sigaction *)stackgap_alloc(&sg, sizeof(struct sigaction));
 
@@ -156,6 +157,8 @@ linux_signal(struct proc *p, struct linux_signal_args *args)
     printf("Linux-emul(%ld): signal(%d, %p)\n",
 	(long)p->p_pid, args->sig, (void *)args->handler);
 #endif
+    if (args->sig <= 0 || args->sig >= LINUX_NSIG)
+	return EINVAL;
     sg = stackgap_init();
     nsa = stackgap_alloc(&sg, sizeof *nsa);
     osa = stackgap_alloc(&sg, sizeof *osa);
@@ -307,6 +310,8 @@ linux_kill(struct proc *p, struct linux_kill_args *args)
     printf("Linux-emul(%d): kill(%d, %d)\n", 
 	   p->p_pid, args->pid, args->signum);
 #endif
+    if (args->signum <= 0 || args->signum >= LINUX_NSIG)
+	return EINVAL;
     tmp.pid = args->pid;
     tmp.signum = linux_to_bsd_signal[args->signum];
     return kill(p, &tmp);
-- 
cgit v1.1