Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 5 Apr 2016 18:27:47 +0000 (UTC)
From:      Sean Bruno <sbruno@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject:   svn commit: r297588 - stable/10/sys/kern
Message-ID:  <201604051827.u35IRlwc000869@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: sbruno
Date: Tue Apr  5 18:27:47 2016
New Revision: 297588
URL: https://svnweb.freebsd.org/changeset/base/297588

Log:
  MFC r297488
  
  Repair an overflow condition where a user could submit a string that was
  not getting a proper bounds check.
  
  PR:		206761
  Submitted by:	sson
  Reviewed by:	cturt@hardenedbsd.org

Modified:
  stable/10/sys/kern/imgact_binmisc.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/kern/imgact_binmisc.c
==============================================================================
--- stable/10/sys/kern/imgact_binmisc.c	Tue Apr  5 18:07:13 2016	(r297587)
+++ stable/10/sys/kern/imgact_binmisc.c	Tue Apr  5 18:27:47 2016	(r297588)
@@ -1,5 +1,5 @@
-/*-
- * Copyright (c) 2013, Stacey D. Son
+/*
+ * Copyright (c) 2013-16, Stacey D. Son
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -222,16 +222,17 @@ imgact_binmisc_add_entry(ximgact_binmisc
 {
 	imgact_binmisc_entry_t *ibe;
 	char *p;
+	int cnt;
 
 	if (xbe->xbe_msize > IBE_MAGIC_MAX)
 		return (EINVAL);
 
-	for(p = xbe->xbe_name; *p != 0; p++)
-		if (!isascii((int)*p))
+	for(cnt = 0, p = xbe->xbe_name; *p != 0; cnt++, p++)
+		if (cnt >= IBE_NAME_MAX || !isascii((int)*p))
 			return (EINVAL);
 
-	for(p = xbe->xbe_interpreter; *p != 0; p++)
-		if (!isascii((int)*p))
+	for(cnt = 0, p = xbe->xbe_interpreter; *p != 0; cnt++, p++)
+		if (cnt >= IBE_INTERP_LEN_MAX || !isascii((int)*p))
 			return (EINVAL);
 
 	/* Make sure we don't have any invalid #'s. */
@@ -268,8 +269,6 @@ imgact_binmisc_add_entry(ximgact_binmisc
 	mtx_unlock(&interp_list_mtx);
 
 	ibe = imgact_binmisc_new_entry(xbe);
-	if (!ibe)
-		return (ENOMEM);
 
 	mtx_lock(&interp_list_mtx);
 	SLIST_INSERT_HEAD(&interpreter_list, ibe, link);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201604051827.u35IRlwc000869>