Date: Mon, 7 Sep 2009 09:30:38 +0000 (UTC) From: Attilio Rao <attilio@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r196916 - head/contrib/gdtoa Message-ID: <200909070930.n879UcSC009647@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: attilio Date: Mon Sep 7 09:30:37 2009 New Revision: 196916 URL: http://svn.freebsd.org/changeset/base/196916 Log: Import a vendor fix for a list overrun. This has been considered as a security hole on some specialized ml, but currently the secteam@ doesn't consider that way. Reviewed by: emaste, des Sponsored by: Sandvine Incorporated MFC after: 3 days Modified: head/contrib/gdtoa/gdtoaimp.h head/contrib/gdtoa/misc.c Modified: head/contrib/gdtoa/gdtoaimp.h ============================================================================== --- head/contrib/gdtoa/gdtoaimp.h Mon Sep 7 08:52:15 2009 (r196915) +++ head/contrib/gdtoa/gdtoaimp.h Mon Sep 7 09:30:37 2009 (r196916) @@ -485,7 +485,7 @@ extern pthread_mutex_t __gdtoa_locks[2]; _pthread_mutex_unlock(&__gdtoa_locks[n]); \ } while(0) -#define Kmax 15 +#define Kmax 9 struct Bigint { Modified: head/contrib/gdtoa/misc.c ============================================================================== --- head/contrib/gdtoa/misc.c Mon Sep 7 08:52:15 2009 (r196915) +++ head/contrib/gdtoa/misc.c Mon Sep 7 09:30:37 2009 (r196916) @@ -55,7 +55,9 @@ Balloc #endif ACQUIRE_DTOA_LOCK(0); - if ( (rv = freelist[k]) !=0) { + /* The k > Kmax case does not need ACQUIRE_DTOA_LOCK(0), */ + /* but this case seems very unlikely. */ + if (k <= Kmax && (rv = freelist[k]) !=0) { freelist[k] = rv->next; } else { @@ -65,7 +67,7 @@ Balloc #else len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1) /sizeof(double); - if (pmem_next - private_mem + len <= PRIVATE_mem) { + if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) { rv = (Bigint*)pmem_next; pmem_next += len; } @@ -89,10 +91,14 @@ Bfree #endif { if (v) { - ACQUIRE_DTOA_LOCK(0); - v->next = freelist[v->k]; - freelist[v->k] = v; - FREE_DTOA_LOCK(0); + if (v->k > Kmax) + free((void*)v); + else { + ACQUIRE_DTOA_LOCK(0); + v->next = freelist[v->k]; + freelist[v->k] = v; + FREE_DTOA_LOCK(0); + } } }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200909070930.n879UcSC009647>