From b7238dced470f241b46f4256b6cb23f37d257885 Mon Sep 17 00:00:00 2001 From: cperciva Date: Mon, 23 Mar 2009 00:00:50 +0000 Subject: Correctly sanity-check timer IDs. [SA-09:06] Limit the size of malloced buffer when dumping environment variables. [EN-09:01] Approved by: so (cperciva) Approved by: re (kensmith) Security: FreeBSD-SA-09:06.ktimer Errata: FreeBSD-EN-09:01.kenv --- sys/kern/kern_time.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'sys/kern/kern_time.c') diff --git a/sys/kern/kern_time.c b/sys/kern/kern_time.c index a8ecace..99c1a53 100644 --- a/sys/kern/kern_time.c +++ b/sys/kern/kern_time.c @@ -1085,7 +1085,8 @@ itimer_find(struct proc *p, int timerid) struct itimer *it; PROC_LOCK_ASSERT(p, MA_OWNED); - if ((p->p_itimers == NULL) || (timerid >= TIMER_MAX) || + if ((p->p_itimers == NULL) || + (timerid < 0) || (timerid >= TIMER_MAX) || (it = p->p_itimers->its_timers[timerid]) == NULL) { return (NULL); } -- cgit v1.1