From 910938f079ceac7d7e0b1b831ce8ebed213d7a30 Mon Sep 17 00:00:00 2001 From: Sean Bruno Date: Fri, 1 Apr 2016 16:16:26 +0000 Subject: [PATCH] Repair a overflow condition where a user could submit a string that was not getting a proper bounds check. Thanks to CTurt for pointing at this with a big red blinking neon sign. PR: 206761 Submitted by: sson Reviewed by: cturt@hardenedbsd.org MFC after: 3 days --- sys/kern/imgact_binmisc.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/sys/kern/imgact_binmisc.c b/sys/kern/imgact_binmisc.c index dd57717e9b4c..39ca156fb4ce 100644 --- a/sys/kern/imgact_binmisc.c +++ b/sys/kern/imgact_binmisc.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2013-15, Stacey D. Son + * Copyright (c) 2013-16, Stacey D. Son * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -220,16 +220,17 @@ imgact_binmisc_add_entry(ximgact_binmisc_entry_t *xbe) { imgact_binmisc_entry_t *ibe; char *p; + int cnt; if (xbe->xbe_msize > IBE_MAGIC_MAX) return (EINVAL); - for(p = xbe->xbe_name; *p != 0; p++) - if (!isascii((int)*p)) + for(cnt = 0, p = xbe->xbe_name; *p != 0; cnt++, p++) + if (cnt >= IBE_NAME_MAX || !isascii((int)*p)) return (EINVAL); - for(p = xbe->xbe_interpreter; *p != 0; p++) - if (!isascii((int)*p)) + for(cnt = 0, p = xbe->xbe_interpreter; *p != 0; cnt++, p++) + if (cnt >= IBE_INTERP_LEN_MAX || !isascii((int)*p)) return (EINVAL); /* Make sure we don't have any invalid #'s. */ @@ -266,8 +267,6 @@ imgact_binmisc_add_entry(ximgact_binmisc_entry_t *xbe) /* Preallocate a new entry. */ ibe = imgact_binmisc_new_entry(xbe); - if (!ibe) - return (ENOMEM); SLIST_INSERT_HEAD(&interpreter_list, ibe, link); interp_list_entry_count++;