Bounds check the user-supplied length used in a copyout() in
svr4_do_getmsg(). In principle this bug could disclose data from kernel memory, but in practice, the SVR4 emulation layer is probably not functional enough to cause the relevant code path to be executed. In any case, the emulator has been disconnected from the build since 5.0-RELEASE. Found by: Coverity Prevent analysis tool
This commit is contained in:
parent
8a4d2b06c7
commit
a3e1ec194d
@ -2226,6 +2226,8 @@ svr4_do_getmsg(td, uap, fp)
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (uap->ctl) {
|
if (uap->ctl) {
|
||||||
|
if (ctl.len > sizeof(sc))
|
||||||
|
ctl.len = sizeof(sc);
|
||||||
if (ctl.len != -1)
|
if (ctl.len != -1)
|
||||||
if ((error = copyout(&sc, ctl.buf, ctl.len)) != 0)
|
if ((error = copyout(&sc, ctl.buf, ctl.len)) != 0)
|
||||||
return error;
|
return error;
|
||||||
|
Loading…
Reference in New Issue
Block a user