Avoid a possible heap overflow in our nlm code by limiting the number

of service to the arbitrary value of 256. Log an appropriate message that indicates the hard limit. PR: 208808 Submitted by: cturt@hardenedbsd.org Reviewed by: dfr Obtained from: HardenedBSD MFC after: 2 weeks
svn path=/head/; revision=298351
2016-04-20 15:31:03 +00:00 · 2016-04-20 15:31:03 +00:00 · 2f7a2b9d79 · 2020-12-20 02:59:44 +00:00
commit 2f7a2b9d79
parent d478c9fe53
1 changed files with 6 additions and 0 deletions
--- a/sys/nlm/nlm_prot_impl.c
+++ b/sys/nlm/nlm_prot_impl.c
@ -1439,6 +1439,12 @@ nlm_register_services(SVCPOOL *pool, int addr_count, char **addrs)
 		return (EINVAL);
 	}

+	if (addr_count < 0 || addr_count > 256 ) {
+		NLM_ERR("NLM:  too many service addresses (%d) given, "
+		    "max 256 - can't start server\n", addr_count);
+		return (EINVAL);
+	}
+
 	xprts = malloc(addr_count * sizeof(SVCXPRT *), M_NLM, M_WAITOK|M_ZERO);
 	for (i = 0; i < version_count; i++) {
 		for (j = 0; j < addr_count; j++) {