svn commit: r298351 - head/sys/nlm
Sean Bruno
sbruno at FreeBSD.org
Wed Apr 20 15:31:04 UTC 2016
Author: sbruno
Date: Wed Apr 20 15:31:03 2016
New Revision: 298351
URL: https://svnweb.freebsd.org/changeset/base/298351
Log:
Avoid a possible heap overflow in our nlm code by limiting the number
of service to the arbitrary value of 256. Log an appropriate message
that indicates the hard limit.
PR: 208808
Submitted by: cturt at hardenedbsd.org
Reviewed by: dfr
Obtained from: HardenedBSD
MFC after: 2 weeks
Modified:
head/sys/nlm/nlm_prot_impl.c
Modified: head/sys/nlm/nlm_prot_impl.c
==============================================================================
--- head/sys/nlm/nlm_prot_impl.c Wed Apr 20 14:47:16 2016 (r298350)
+++ head/sys/nlm/nlm_prot_impl.c Wed Apr 20 15:31:03 2016 (r298351)
@@ -1439,6 +1439,12 @@ nlm_register_services(SVCPOOL *pool, int
return (EINVAL);
}
+ if (addr_count < 0 || addr_count > 256 ) {
+ NLM_ERR("NLM: too many service addresses (%d) given, "
+ "max 256 - can't start server\n", addr_count);
+ return (EINVAL);
+ }
+
xprts = malloc(addr_count * sizeof(SVCXPRT *), M_NLM, M_WAITOK|M_ZERO);
for (i = 0; i < version_count; i++) {
for (j = 0; j < addr_count; j++) {
More information about the svn-src-all
mailing list