cvs commit: src/sys/compat/svr4 svr4_filio.c svr4_misc.c
svr4_signal.c svr4_stream.c svr4_sysvec.c svr4_util.h
Tim J. Robbins
tjr at FreeBSD.org
Mon Oct 20 03:38:50 PDT 2003
tjr 2003/10/20 03:38:49 PDT
FreeBSD src repository
Modified files:
sys/compat/svr4 svr4_filio.c svr4_misc.c svr4_signal.c
svr4_stream.c svr4_sysvec.c svr4_util.h
Log:
Fix some security bugs in the SVR4 emulator:
- Return NULL instead of returning memory outside of the stackgap
in stackgap_alloc() (FreeBSD-SA-00:42.linux)
- Check for stackgap_alloc() returning NULL in svr4_emul_find(),
and clean_pipe().
- Avoid integer overflow on large nfds argument in svr4_sys_poll()
- Reject negative nbytes argument in svr4_sys_getdents()
- Don't copy out past the end of the struct componentname
pathname buffer in svr4_sys_resolvepath()
- Reject out-of-range signal numbers in svr4_sys_sigaction(),
svr4_sys_signal(), and svr4_sys_kill().
- Don't malloc() user-specified lengths in show_ioc() and
show_strbuf(), place arbitrary limits instead.
- Range-check lengths in si_listen(), ti_getinfo(), ti_bind(),
svr4_do_putmsg(), svr4_do_getmsg(), svr4_stream_ti_ioctl().
Some fixes obtain from OpenBSD.
Revision Changes Path
1.30 +7 -0 src/sys/compat/svr4/svr4_filio.c
1.67 +7 -4 src/sys/compat/svr4/svr4_misc.c
1.29 +12 -2 src/sys/compat/svr4/svr4_signal.c
1.46 +44 -11 src/sys/compat/svr4/svr4_stream.c
1.35 +4 -2 src/sys/compat/svr4/svr4_sysvec.c
1.7 +4 -1 src/sys/compat/svr4/svr4_util.h
More information about the cvs-src
mailing list