Date: Sun, 20 Feb 2011 17:01:37 GMT From: Edward Tomasz Napierala <trasz@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 188976 for review Message-ID: <201102201701.p1KH1bYU037557@skunkworks.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://p4web.freebsd.org/@@188976?ac=10 Change 188976 by trasz@trasz_victim on 2011/02/20 17:00:33 Prevent root from crashing the system by adding a rule with too long loginclass name. Affected files ... .. //depot/projects/soc2009/trasz_limits/sys/kern/kern_loginclass.c#30 edit .. //depot/projects/soc2009/trasz_limits/sys/kern/kern_rctl.c#33 edit Differences ... ==== //depot/projects/soc2009/trasz_limits/sys/kern/kern_loginclass.c#30 (text+ko) ==== @@ -113,8 +113,8 @@ { struct loginclass *lc, *newlc; - KASSERT(strlen(name) <= MAXLOGNAME - 1, - ("loginclass_find: got too long name")); + if (strlen(name) > MAXLOGNAME - 1) + return (NULL); newlc = malloc(sizeof(*newlc), M_LOGINCLASS, M_ZERO | M_WAITOK); container_create(&newlc->lc_container); @@ -200,6 +200,7 @@ newcred = crget(); newlc = loginclass_find(lcname); + KASSERT(newlc != NULL, ("loginclass_find() failed")); PROC_LOCK(p); oldcred = crcopysafe(p, newcred); ==== //depot/projects/soc2009/trasz_limits/sys/kern/kern_rctl.c#33 (text+ko) ==== @@ -837,6 +837,10 @@ case RCTL_SUBJECT_TYPE_LOGINCLASS: rule->rr_subject.hr_loginclass = loginclass_find(subject_idstr); + if (rule->rr_subject.hr_loginclass == NULL) { + error = ENAMETOOLONG; + goto out; + } break; case RCTL_SUBJECT_TYPE_JAIL: rule->rr_subject.rs_prison =
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201102201701.p1KH1bYU037557>