From f53edc909e1a03842ed21db6a851c8aa8b405953 Mon Sep 17 00:00:00 2001 From: Jaakko Heinonen Date: Mon, 23 May 2011 16:40:44 +0000 Subject: [PATCH] In init_dynamic_kenv(), ignore environment strings exceeding the KENV_MNAMELEN + 1 + KENV_MVALLEN + 1 length limit to avoid buffer overflow in getenv(). Currenly loader(8) doesn't limit the length of environment strings. PR: kern/132104 MFC after: 1 month --- sys/kern/kern_environment.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/sys/kern/kern_environment.c b/sys/kern/kern_environment.c index 41a9fa8e8310..16760ce90c54 100644 --- a/sys/kern/kern_environment.c +++ b/sys/kern/kern_environment.c @@ -225,13 +225,19 @@ static void init_dynamic_kenv(void *data __unused) { char *cp; - int len, i; + size_t len; + int i; kenvp = malloc((KENV_SIZE + 1) * sizeof(char *), M_KENV, M_WAITOK | M_ZERO); i = 0; for (cp = kern_envp; cp != NULL; cp = kernenv_next(cp)) { len = strlen(cp) + 1; + if (len > KENV_MNAMELEN + 1 + KENV_MVALLEN + 1) { + printf("WARNING: too long kenv string, ignoring %s\n", + cp); + continue; + } if (i < KENV_SIZE) { kenvp[i] = malloc(len, M_KENV, M_WAITOK); strcpy(kenvp[i++], cp);