From owner-cvs-all@FreeBSD.ORG  Mon Jan 30 12:17:30 2006
Return-Path: <owner-cvs-all@FreeBSD.ORG>
X-Original-To: cvs-all@FreeBSD.org
Delivered-To: cvs-all@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 229FC16A420;
	Mon, 30 Jan 2006 12:17:30 +0000 (GMT)
	(envelope-from ariff@FreeBSD.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9999143D5F;
	Mon, 30 Jan 2006 12:17:29 +0000 (GMT)
	(envelope-from ariff@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id k0UCHT17085005;
	Mon, 30 Jan 2006 12:17:29 GMT
	(envelope-from ariff@repoman.freebsd.org)
Received: (from ariff@localhost)
	by repoman.freebsd.org (8.13.1/8.13.1/Submit) id k0UCHTvt085004;
	Mon, 30 Jan 2006 12:17:29 GMT (envelope-from ariff)
Message-Id: <200601301217.k0UCHTvt085004@repoman.freebsd.org>
From: Ariff Abdullah <ariff@FreeBSD.org>
Date: Mon, 30 Jan 2006 12:17:29 +0000 (UTC)
To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org
X-FreeBSD-CVS-Branch: RELENG_5
Cc: 
Subject: cvs commit: src/sys/kern kern_environment.c
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jan 2006 12:17:30 -0000

ariff       2006-01-30 12:17:29 UTC

  FreeBSD src repository

  Modified files:        (Branch: RELENG_5)
    sys/kern             kern_environment.c 
  Log:
  MFC:
  
  Add bounds checking to the setenv part of the kernel environment.
  
  This has no security implications since only root is allowed to use
  kenv(1) (and corrupt the kernel memory after adding too much variables
  previous to this commit).
  
  This is based upon the PR [1] mentioned below, but extended to check both
  bounds (in case of an overflow of the counting variable) and to comply
  to the style of the function. An overflow of the counting variable
  shouldn't happen after adding the check for the upper bound, but better
  safe than sorry (in case some other function in the kernel overwrites
  random memory).
  
  An interested soul may want to add a printf to notify root in case the
  bounds are hit.
  
  Also allocate KENV_SIZE+1 entries (the array is NULL-terminated), since
  the comment for KENV_SIZE says it's the maximum number of environment
  strings. [2]
  
  Reorder statements to avoid accessing unknown memory.
  In theory, invoking kenv with very long string can panic
  kernel.
  
  PR:             83687 [1]
  Submitted by:   Harry Coin <harrycoin@qconline.com> [1]
  
  Revision  Changes    Path
  1.34.2.3  +10 -3     src/sys/kern/kern_environment.c