From a3e1ec194db59f8bb85564d73274da8abfd0641c Mon Sep 17 00:00:00 2001 From: David Schultz Date: Wed, 23 Mar 2005 08:28:06 +0000 Subject: [PATCH] Bounds check the user-supplied length used in a copyout() in svr4_do_getmsg(). In principle this bug could disclose data from kernel memory, but in practice, the SVR4 emulation layer is probably not functional enough to cause the relevant code path to be executed. In any case, the emulator has been disconnected from the build since 5.0-RELEASE. Found by: Coverity Prevent analysis tool --- sys/compat/svr4/svr4_stream.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sys/compat/svr4/svr4_stream.c b/sys/compat/svr4/svr4_stream.c index 68bdf7c38684..e11c84cfaee4 100644 --- a/sys/compat/svr4/svr4_stream.c +++ b/sys/compat/svr4/svr4_stream.c @@ -2226,6 +2226,8 @@ svr4_do_getmsg(td, uap, fp) } if (uap->ctl) { + if (ctl.len > sizeof(sc)) + ctl.len = sizeof(sc); if (ctl.len != -1) if ((error = copyout(&sc, ctl.buf, ctl.len)) != 0) return error;