Bounds check the user-supplied length used in a copyout() in

svr4_do_getmsg(). In principle this bug could disclose data from kernel memory, but in practice, the SVR4 emulation layer is probably not functional enough to cause the relevant code path to be executed. In any case, the emulator has been disconnected from the build since 5.0-RELEASE. Found by: Coverity Prevent analysis tool
2005-03-23 08:28:06 +00:00 · 2005-03-23 08:28:06 +00:00 · 6a2a1d9492
commit 6a2a1d9492
parent d1fb7b8c2a
1 changed files with 2 additions and 0 deletions
--- a/sys/compat/svr4/svr4_stream.c
+++ b/sys/compat/svr4/svr4_stream.c
@ -2226,6 +2226,8 @@ svr4_do_getmsg(td, uap, fp)
 	}

 	if (uap->ctl) {
+		if (ctl.len > sizeof(sc))
+			ctl.len = sizeof(sc);
 		if (ctl.len != -1)
 			if ((error = copyout(&sc, ctl.buf, ctl.len)) != 0)
 				return error;