Date: Wed, 20 Apr 2016 15:31:03 +0000 (UTC) From: Sean Bruno <sbruno@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r298351 - head/sys/nlm Message-ID: <201604201531.u3KFV3dr083070@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: sbruno Date: Wed Apr 20 15:31:03 2016 New Revision: 298351 URL: https://svnweb.freebsd.org/changeset/base/298351 Log: Avoid a possible heap overflow in our nlm code by limiting the number of service to the arbitrary value of 256. Log an appropriate message that indicates the hard limit. PR: 208808 Submitted by: cturt@hardenedbsd.org Reviewed by: dfr Obtained from: HardenedBSD MFC after: 2 weeks Modified: head/sys/nlm/nlm_prot_impl.c Modified: head/sys/nlm/nlm_prot_impl.c ============================================================================== --- head/sys/nlm/nlm_prot_impl.c Wed Apr 20 14:47:16 2016 (r298350) +++ head/sys/nlm/nlm_prot_impl.c Wed Apr 20 15:31:03 2016 (r298351) @@ -1439,6 +1439,12 @@ nlm_register_services(SVCPOOL *pool, int return (EINVAL); } + if (addr_count < 0 || addr_count > 256 ) { + NLM_ERR("NLM: too many service addresses (%d) given, " + "max 256 - can't start server\n", addr_count); + return (EINVAL); + } + xprts = malloc(addr_count * sizeof(SVCXPRT *), M_NLM, M_WAITOK|M_ZERO); for (i = 0; i < version_count; i++) { for (j = 0; j < addr_count; j++) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201604201531.u3KFV3dr083070>