svn commit: r222216 - head/sys/kern
Jaakko Heinonen
jh at FreeBSD.org
Mon May 23 16:40:44 UTC 2011
Author: jh
Date: Mon May 23 16:40:44 2011
New Revision: 222216
URL: http://svn.freebsd.org/changeset/base/222216
Log:
In init_dynamic_kenv(), ignore environment strings exceeding the
KENV_MNAMELEN + 1 + KENV_MVALLEN + 1 length limit to avoid buffer
overflow in getenv(). Currenly loader(8) doesn't limit the length of
environment strings.
PR: kern/132104
MFC after: 1 month
Modified:
head/sys/kern/kern_environment.c
Modified: head/sys/kern/kern_environment.c
==============================================================================
--- head/sys/kern/kern_environment.c Mon May 23 15:23:18 2011 (r222215)
+++ head/sys/kern/kern_environment.c Mon May 23 16:40:44 2011 (r222216)
@@ -225,13 +225,19 @@ static void
init_dynamic_kenv(void *data __unused)
{
char *cp;
- int len, i;
+ size_t len;
+ int i;
kenvp = malloc((KENV_SIZE + 1) * sizeof(char *), M_KENV,
M_WAITOK | M_ZERO);
i = 0;
for (cp = kern_envp; cp != NULL; cp = kernenv_next(cp)) {
len = strlen(cp) + 1;
+ if (len > KENV_MNAMELEN + 1 + KENV_MVALLEN + 1) {
+ printf("WARNING: too long kenv string, ignoring %s\n",
+ cp);
+ continue;
+ }
if (i < KENV_SIZE) {
kenvp[i] = malloc(len, M_KENV, M_WAITOK);
strcpy(kenvp[i++], cp);
More information about the svn-src-head
mailing list