In init_dynamic_kenv(), ignore environment strings exceeding the

KENV_MNAMELEN + 1 + KENV_MVALLEN + 1 length limit to avoid buffer overflow in getenv(). Currenly loader(8) doesn't limit the length of environment strings. PR: kern/132104 MFC after: 1 month
svn path=/head/; revision=222216
2011-05-23 16:40:44 +00:00 · 2011-05-23 16:40:44 +00:00 · f53edc909e · 2020-12-20 02:59:44 +00:00
commit f53edc909e
parent 68e0d7e06a
1 changed files with 7 additions and 1 deletions
--- a/sys/kern/kern_environment.c
+++ b/sys/kern/kern_environment.c
@ -225,13 +225,19 @@ static void
 init_dynamic_kenv(void *data __unused)
 {
 	char *cp;
-	int len, i;
+	size_t len;
+	int i;

 	kenvp = malloc((KENV_SIZE + 1) * sizeof(char *), M_KENV,
 		M_WAITOK | M_ZERO);
 	i = 0;
 	for (cp = kern_envp; cp != NULL; cp = kernenv_next(cp)) {
 		len = strlen(cp) + 1;
+		if (len > KENV_MNAMELEN + 1 + KENV_MVALLEN + 1) {
+			printf("WARNING: too long kenv string, ignoring %s\n",
+			    cp);
+			continue;
+		}
 		if (i < KENV_SIZE) {
 			kenvp[i] = malloc(len, M_KENV, M_WAITOK);
 			strcpy(kenvp[i++], cp);