Bounds check the user-supplied length used in a copyout() in

svr4_do_getmsg(). In principle this bug could disclose data from kernel memory, but in practice, the SVR4 emulation layer is probably not functional enough to cause the relevant code path to be executed. In any case, the emulator has been disconnected from the build since 5.0-RELEASE. Found by: Coverity Prevent analysis tool
svn path=/head/; revision=144014
2005-03-23 08:28:06 +00:00 · 2005-03-23 08:28:06 +00:00 · a3e1ec194d · 2020-12-20 02:59:44 +00:00
commit a3e1ec194d
parent 8a4d2b06c7
1 changed files with 2 additions and 0 deletions
--- a/sys/compat/svr4/svr4_stream.c
+++ b/sys/compat/svr4/svr4_stream.c
@ -2226,6 +2226,8 @@ svr4_do_getmsg(td, uap, fp)
 	}

 	if (uap->ctl) {
+		if (ctl.len > sizeof(sc))
+			ctl.len = sizeof(sc);
 		if (ctl.len != -1)
 			if ((error = copyout(&sc, ctl.buf, ctl.len)) != 0)
 				return error;