d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Bounds check the length parameter to i386_set_ldt() before passing it

Browse Source 
to kmem_alloc().  Failure to do this made it possible for user
processes to cause a hard lock on i386 kernels.  I believe this only
affects 6-CURRENT on or after 2005-01-26.

Found by:	Coverity Prevent analysis tool
Security:	Local DOS
This commit is contained in:
David Schultz 2005-03-23 08:28:03 +00:00
parent aa675b572f
commit 8a4d2b06c7
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sys/i386/i386/sys_machdep.c
View File

@ -103,6 +103,8 @@ sysarch(td, uap)
if ((error = copyin(uap->parms, &kargs.largs, if ((error = copyin(uap->parms, &kargs.largs,
sizeof(struct i386_ldt_args))) != 0) sizeof(struct i386_ldt_args))) != 0)
return (error); return (error);
if (kargs.largs.num > MAX_LD || kargs.largs.num <= 0)
return (EINVAL);
break; break;
default: default:
break; break;