From owner-svn-src-head@FreeBSD.ORG Mon Mar 23 00:00:51 2009 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2BF45106566C; Mon, 23 Mar 2009 00:00:51 +0000 (UTC) (envelope-from cperciva@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id ACC5A8FC0A; Mon, 23 Mar 2009 00:00:50 +0000 (UTC) (envelope-from cperciva@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n2N00oaS088178; Mon, 23 Mar 2009 00:00:50 GMT (envelope-from cperciva@svn.freebsd.org) Received: (from cperciva@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n2N00o2w088176; Mon, 23 Mar 2009 00:00:50 GMT (envelope-from cperciva@svn.freebsd.org) Message-Id: <200903230000.n2N00o2w088176@svn.freebsd.org> From: Colin Percival Date: Mon, 23 Mar 2009 00:00:50 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r190301 - head/sys/kern releng/7.0 releng/7.0/sys/conf releng/7.0/sys/kern releng/7.1 releng/7.1/sys/conf releng/7.1/sys/kern stable/7/sys/kern X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Mar 2009 00:00:51 -0000 Author: cperciva Date: Mon Mar 23 00:00:50 2009 New Revision: 190301 URL: http://svn.freebsd.org/changeset/base/190301 Log: Correctly sanity-check timer IDs. [SA-09:06] Limit the size of malloced buffer when dumping environment variables. [EN-09:01] Approved by: so (cperciva) Approved by: re (kensmith) Security: FreeBSD-SA-09:06.ktimer Errata: FreeBSD-EN-09:01.kenv Modified: head/sys/kern/kern_environment.c head/sys/kern/kern_time.c Changes in other areas also in this revision: Modified: releng/7.0/UPDATING releng/7.0/sys/conf/newvers.sh releng/7.0/sys/kern/kern_environment.c releng/7.0/sys/kern/kern_time.c releng/7.1/UPDATING releng/7.1/sys/conf/newvers.sh releng/7.1/sys/kern/kern_environment.c releng/7.1/sys/kern/kern_time.c stable/7/sys/kern/kern_environment.c stable/7/sys/kern/kern_time.c Modified: head/sys/kern/kern_environment.c ============================================================================== --- head/sys/kern/kern_environment.c Sun Mar 22 23:00:52 2009 (r190300) +++ head/sys/kern/kern_environment.c Mon Mar 23 00:00:50 2009 (r190301) @@ -87,7 +87,7 @@ kenv(td, uap) } */ *uap; { char *name, *value, *buffer = NULL; - size_t len, done, needed; + size_t len, done, needed, buflen; int error, i; KASSERT(dynamic_kenv, ("kenv: dynamic_kenv = 0")); @@ -100,13 +100,17 @@ kenv(td, uap) return (error); #endif done = needed = 0; + buflen = uap->len; + if (buflen > KENV_SIZE * (KENV_MNAMELEN + KENV_MVALLEN + 2)) + buflen = KENV_SIZE * (KENV_MNAMELEN + + KENV_MVALLEN + 2); if (uap->len > 0 && uap->value != NULL) - buffer = malloc(uap->len, M_TEMP, M_WAITOK|M_ZERO); + buffer = malloc(buflen, M_TEMP, M_WAITOK|M_ZERO); mtx_lock(&kenv_lock); for (i = 0; kenvp[i] != NULL; i++) { len = strlen(kenvp[i]) + 1; needed += len; - len = min(len, uap->len - done); + len = min(len, buflen - done); /* * If called with a NULL or insufficiently large * buffer, just keep computing the required size. Modified: head/sys/kern/kern_time.c ============================================================================== --- head/sys/kern/kern_time.c Sun Mar 22 23:00:52 2009 (r190300) +++ head/sys/kern/kern_time.c Mon Mar 23 00:00:50 2009 (r190301) @@ -1085,7 +1085,8 @@ itimer_find(struct proc *p, int timerid) struct itimer *it; PROC_LOCK_ASSERT(p, MA_OWNED); - if ((p->p_itimers == NULL) || (timerid >= TIMER_MAX) || + if ((p->p_itimers == NULL) || + (timerid < 0) || (timerid >= TIMER_MAX) || (it = p->p_itimers->its_timers[timerid]) == NULL) { return (NULL); }