tighten buffer bounds in imgact_binmisc_populate_interp

We must ensure there's space for the terminating null in the temporary buffer in imgact_binmisc_populate_interp(). Note that there's no buffer overflow here because xbe->xbe_interpreter's length and null termination is checked in imgact_binmisc_add_entry() before imgact_binmisc_populate_interp() is called. However, the latter should correctly enforce its own bounds. Reviewed by: sbruno MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D10042
2017-03-21 18:02:14 +00:00 · 2017-03-21 18:02:14 +00:00 · 7d488f1e47
commit 7d488f1e47
parent a58d0019c1
1 changed files with 1 additions and 1 deletions
--- a/sys/kern/imgact_binmisc.c
+++ b/sys/kern/imgact_binmisc.c
@ -120,7 +120,7 @@ imgact_binmisc_populate_interp(char *str, imgact_binmisc_entry_t *ibe)
 	sp = str; tp = t;
 	while (*sp != '\0') {
 		if (*sp == ' ' || *sp == '\t') {
-			if (++len > IBE_INTERP_LEN_MAX)
+			if (++len >= IBE_INTERP_LEN_MAX)
 				break;
 			*tp++ = ' ';
 			argc++;