PERFORCE change 108673 for review

[Alexander Leidinger]

http://perforce.freebsd.org/chv.cgi?CH=108673

Change 108673 by netchild at netchild_magellan on 2006/10/29 17:41:35

	linux_prctl():
	- Currently LINUX_MAX_COMM_LEN is smaller than MAXCOMLEN, but in case
	  this will change we have a buffer overflow. Apply some defensive
	  programming to DTRT when this should happen.
	- Use strlcpy instead of strcpy.
	- Use copyinstr instead of copyin (and while I'm here fix a copy&paste
	  bug in the order of the arguments).
	- Properly lock the read case (PR_GET_NAME) like the write case.
	Discussed with:	rwatson
	X-MFP4 after:	review from rwatson

Affected files ...

.. //depot/projects/linuxolator/src/sys/compat/linux/linux_misc.c#21 edit

Differences ...

==== //depot/projects/linuxolator/src/sys/compat/linux/linux_misc.c#21 (text+ko) ====

@@ -1560,7 +1560,7 @@
 int
 linux_prctl(struct thread *td, struct linux_prctl_args *args)
 {
-   	int error = 0;
+   	int error = 0, max_size;
 	struct proc *p = td->td_proc;
 	char comm[LINUX_MAX_COMM_LEN];
 	struct linux_emuldata *em;
@@ -1589,16 +1589,22 @@
 		EMUL_UNLOCK(&emul_lock);
 		break;
 	case LINUX_PR_SET_NAME:
-		comm[LINUX_MAX_COMM_LEN-1] = 0;
-		error = copyin(comm, (void *)(register_t) args->arg2, LINUX_MAX_COMM_LEN-1);
+		max_size = (LINUX_MAX_COMM_LEN <= MAXCOMLEN + 1) ?
+				LINUX_MAX_COMM_LEN : (MAXCOMLEN + 1);
+		error = copyinstr((void *)(register_t) args->arg2, comm,
+			    max_size, NULL);
 		if (error)
 		   	return (error);
 		PROC_LOCK(p);
-		strcpy(p->p_comm, comm);
+		strlcpy(p->p_comm, comm, MAXCOMLEN + 1);
 		PROC_UNLOCK(p);
 		break;
 	case LINUX_PR_GET_NAME:
-		error = copyout(&p->p_comm, (void *)(register_t) args->arg2, MAXCOMLEN+1);
+		PROC_LOCK(p);
+		strlcpy(comm, p->p_comm, LINUX_MAX_COMM_LEN);
+		PROC_UNLOCK(p);
+		error = copyout(comm, (void *)(register_t) args->arg2,
+			    strlen(comm)+1);
 		break;
 	default:
 		error = EINVAL;