cvs commit: src/sys/compat/linprocfs linprocfs.c src/sys/fs/procfs procfs_status.c

[Pawel Jakub Dawidek]

On Wed, Dec 01, 2004 at 09:33:02PM +0000, Colin Percival wrote:
+> cperciva    2004-12-01 21:33:02 UTC
+> 
+>   FreeBSD src repository
+> 
+>   Modified files:
+>     sys/compat/linprocfs linprocfs.c 
+>     sys/fs/procfs        procfs_status.c 
+>   Log:
+>   Fix unvalidated pointer dereference.  This is FreeBSD-SA-04:17.procfs.
[...]
+> @@ -794,10 +795,21 @@ linprocfs_doproccmdline(PFS_FILL_ARGS)
+>  		    sizeof(pstr));
+>  		if (error)
+>  			return (error);
+> +		if (pstr.ps_nargvstr > ARG_MAX)
+> +			return (E2BIG);
+> +		ps_argvstr = malloc(pstr.ps_nargvstr * sizeof(char *),
+> +		    M_TEMP, M_WAITOK);
+> +		error = copyin((void *)pstr.ps_argvstr, ps_argvstr,
+> +		    pstr.ps_nargvstr * sizeof(char *));
+> +		if (error) {
+> +			free(ps_argvstr, M_TEMP);
+> +			return (error);
+> +		}
+>  		for (i = 0; i < pstr.ps_nargvstr; i++) {
+> -			sbuf_copyin(sb, pstr.ps_argvstr[i], 0);
+> +			sbuf_copyin(sb, ps_argvstr[i], 0);
+>  			sbuf_printf(sb, "%c", '\0');
+>  		}
+> +		free(ps_argvstr, M_TEMP);

BTW. Why we don't check sbuf_copyin() return value here?

-- 
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd at FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-src/attachments/20041201/b62950dd/attachment.bin