From b7238dced470f241b46f4256b6cb23f37d257885 Mon Sep 17 00:00:00 2001 From: cperciva Date: Mon, 23 Mar 2009 00:00:50 +0000 Subject: Correctly sanity-check timer IDs. [SA-09:06] Limit the size of malloced buffer when dumping environment variables. [EN-09:01] Approved by: so (cperciva) Approved by: re (kensmith) Security: FreeBSD-SA-09:06.ktimer Errata: FreeBSD-EN-09:01.kenv --- sys/kern/kern_environment.c | 10 +++++++--- sys/kern/kern_time.c | 3 ++- 2 files changed, 9 insertions(+), 4 deletions(-) (limited to 'sys') diff --git a/sys/kern/kern_environment.c b/sys/kern/kern_environment.c index a5658ca..038515b 100644 --- a/sys/kern/kern_environment.c +++ b/sys/kern/kern_environment.c @@ -87,7 +87,7 @@ kenv(td, uap) } */ *uap; { char *name, *value, *buffer = NULL; - size_t len, done, needed; + size_t len, done, needed, buflen; int error, i; KASSERT(dynamic_kenv, ("kenv: dynamic_kenv = 0")); @@ -100,13 +100,17 @@ kenv(td, uap) return (error); #endif done = needed = 0; + buflen = uap->len; + if (buflen > KENV_SIZE * (KENV_MNAMELEN + KENV_MVALLEN + 2)) + buflen = KENV_SIZE * (KENV_MNAMELEN + + KENV_MVALLEN + 2); if (uap->len > 0 && uap->value != NULL) - buffer = malloc(uap->len, M_TEMP, M_WAITOK|M_ZERO); + buffer = malloc(buflen, M_TEMP, M_WAITOK|M_ZERO); mtx_lock(&kenv_lock); for (i = 0; kenvp[i] != NULL; i++) { len = strlen(kenvp[i]) + 1; needed += len; - len = min(len, uap->len - done); + len = min(len, buflen - done); /* * If called with a NULL or insufficiently large * buffer, just keep computing the required size. diff --git a/sys/kern/kern_time.c b/sys/kern/kern_time.c index a8ecace..99c1a53 100644 --- a/sys/kern/kern_time.c +++ b/sys/kern/kern_time.c @@ -1085,7 +1085,8 @@ itimer_find(struct proc *p, int timerid) struct itimer *it; PROC_LOCK_ASSERT(p, MA_OWNED); - if ((p->p_itimers == NULL) || (timerid >= TIMER_MAX) || + if ((p->p_itimers == NULL) || + (timerid < 0) || (timerid >= TIMER_MAX) || (it = p->p_itimers->its_timers[timerid]) == NULL) { return (NULL); } -- cgit v1.1