Date: Fri, 01 Apr 2016 11:36:49 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 206761] Kernel stack overflow in sysctl handler for kern.binmisc.add Message-ID: <bug-206761-8-pbkkE20U90@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-206761-8@https.bugs.freebsd.org/bugzilla/> References: <bug-206761-8@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D206761 --- Comment #14 from CTurt <cturt@hardenedbsd.org> --- I've taken another look at the code and found another potential bug. I'm not certain if this is a bug yet, but I'd also like to bring the following code from `imgact_binmisc_add_entry` to attention: /* Make sure we don't have any invalid #'s. */ p =3D xbe->xbe_interpreter; while (1) { p =3D strchr(p, '#'); if (!p) break; p++; switch(*p) { case ISM_POUND: /* "##" */ p++; break; case ISM_OLD_ARGV0: /* "#a" */ p++; break; case 0: default: /* Anything besides the above is invalid. */ return (EINVAL); } } >From the comment, and usage of a loop, it seems like this code should be checking that every '#' character in the string follows either another '#' = or an 'a' character, however there is no way that this loop will ever be execu= ted more than once since all conditions lead to `break` or `return`. In its cur= rent form the code will only validate the first '#' character. To instead check that _every_ '#' character follows a valid character (and = not just the first '#' character), the `case`s should `continue` the loop as be= low: /* Make sure we don't have any invalid #'s. */ p =3D xbe->xbe_interpreter; while (1) { p =3D strchr(p, '#'); if (!p) break; p++; switch(*p) { case ISM_POUND: /* "##" */ p++; continue; case ISM_OLD_ARGV0: /* "#a" */ p++; continue; case 0: default: /* Anything besides the above is invalid. */ return (EINVAL); } } --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-206761-8-pbkkE20U90>