Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 1 Dec 2004 23:51:41 +0100
From:      Pawel Jakub Dawidek <pjd@FreeBSD.org>
To:        Colin Percival <cperciva@FreeBSD.org>
Cc:        cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/sys/compat/linprocfs linprocfs.c src/sys/fs/procfs procfs_status.c
Message-ID:  <20041201225141.GA813@darkness.comp.waw.pl>
In-Reply-To: <200412012133.iB1LX2JC019417@repoman.freebsd.org>
References:  <200412012133.iB1LX2JC019417@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

--wac7ysb48OaltWcw
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Dec 01, 2004 at 09:33:02PM +0000, Colin Percival wrote:
+> cperciva    2004-12-01 21:33:02 UTC
+>=20
+>   FreeBSD src repository
+>=20
+>   Modified files:
+>     sys/compat/linprocfs linprocfs.c=20
+>     sys/fs/procfs        procfs_status.c=20
+>   Log:
+>   Fix unvalidated pointer dereference.  This is FreeBSD-SA-04:17.procfs.
[...]
+> @@ -794,10 +795,21 @@ linprocfs_doproccmdline(PFS_FILL_ARGS)
+>  		    sizeof(pstr));
+>  		if (error)
+>  			return (error);
+> +		if (pstr.ps_nargvstr > ARG_MAX)
+> +			return (E2BIG);
+> +		ps_argvstr =3D malloc(pstr.ps_nargvstr * sizeof(char *),
+> +		    M_TEMP, M_WAITOK);
+> +		error =3D copyin((void *)pstr.ps_argvstr, ps_argvstr,
+> +		    pstr.ps_nargvstr * sizeof(char *));
+> +		if (error) {
+> +			free(ps_argvstr, M_TEMP);
+> +			return (error);
+> +		}
+>  		for (i =3D 0; i < pstr.ps_nargvstr; i++) {
+> -			sbuf_copyin(sb, pstr.ps_argvstr[i], 0);
+> +			sbuf_copyin(sb, ps_argvstr[i], 0);
+>  			sbuf_printf(sb, "%c", '\0');
+>  		}
+> +		free(ps_argvstr, M_TEMP);

BTW. Why we don't check sbuf_copyin() return value here?

--=20
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd@FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!

--wac7ysb48OaltWcw
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFBrkr9ForvXbEpPzQRAiYvAKC5fn2LdkUmuK8SsuEFugpYUYMDgwCgpYVw
ngrBdQIMen8N7PC5+IPWIFk=
=v/zt
-----END PGP SIGNATURE-----

--wac7ysb48OaltWcw--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041201225141.GA813>