Fix unvalidated pointer dereference. This is FreeBSD-SA-04:17.procfs.

2004-12-01 21:33:02 +00:00 · 2004-12-01 21:33:02 +00:00 · 691b3b0df9
commit 691b3b0df9
parent 7e1f562e2a
2 changed files with 26 additions and 2 deletions
--- a/sys/compat/linprocfs/linprocfs.c
+++ b/sys/compat/linprocfs/linprocfs.c
@ -769,6 +769,7 @@ static int
 linprocfs_doproccmdline(PFS_FILL_ARGS)
 {
 	struct ps_strings pstr;
 	char **ps_argvstr;
 	int error, i;
 	/*
@ -794,10 +795,21 @@ linprocfs_doproccmdline(PFS_FILL_ARGS)
 		    sizeof(pstr));
 		if (error)
 			return (error);
 		if (pstr.ps_nargvstr > ARG_MAX)
 			return (E2BIG);
 		ps_argvstr = malloc(pstr.ps_nargvstr * sizeof(char *),
 		    M_TEMP, M_WAITOK);
 		error = copyin((void *)pstr.ps_argvstr, ps_argvstr,
 		    pstr.ps_nargvstr * sizeof(char *));
 		if (error) {
 			free(ps_argvstr, M_TEMP);
 			return (error);
 		}
 		for (i = 0; i < pstr.ps_nargvstr; i++) {
-			sbuf_copyin(sb, pstr.ps_argvstr[i], 0);
+			sbuf_copyin(sb, ps_argvstr[i], 0);
 			sbuf_printf(sb, "%c", '\0');
 		}
 		free(ps_argvstr, M_TEMP);
 	}
 	return (0);
--- a/sys/fs/procfs/procfs_status.c
+++ b/sys/fs/procfs/procfs_status.c
@ -173,6 +173,7 @@ int
 procfs_doproccmdline(PFS_FILL_ARGS)
 {
 	struct ps_strings pstr;
 	char **ps_argvstr;
 	int error, i;
 	/*
@ -199,10 +200,21 @@ procfs_doproccmdline(PFS_FILL_ARGS)
 		    sizeof(pstr));
 		if (error)
 			return (error);
 		if (pstr.ps_nargvstr > ARG_MAX)
 			return (E2BIG);
 		ps_argvstr = malloc(pstr.ps_nargvstr * sizeof(char *),
 		    M_TEMP, M_WAITOK);
 		error = copyin((void *)pstr.ps_argvstr, ps_argvstr,
 		    pstr.ps_nargvstr * sizeof(char *));
 		if (error) {
 			free(ps_argvstr, M_TEMP);
 			return (error);
 		}
 		for (i = 0; i < pstr.ps_nargvstr; i++) {
-			sbuf_copyin(sb, pstr.ps_argvstr[i], 0);
+			sbuf_copyin(sb, ps_argvstr[i], 0);
 			sbuf_printf(sb, "%c", '\0');
 		}
 		free(ps_argvstr, M_TEMP);
 	}
 	return (0);