From owner-cvs-src@FreeBSD.ORG  Mon Oct 20 03:38:50 2003
Return-Path: <owner-cvs-src@FreeBSD.ORG>
Delivered-To: cvs-src@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0DFB216A4B3; Mon, 20 Oct 2003 03:38:50 -0700 (PDT)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 8B8A843FB1; Mon, 20 Oct 2003 03:38:49 -0700 (PDT)
	(envelope-from tjr@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.9/8.12.9) with ESMTP id h9KAcnXJ037028;
	Mon, 20 Oct 2003 03:38:49 -0700 (PDT)
	(envelope-from tjr@repoman.freebsd.org)
Received: (from tjr@localhost)
	by repoman.freebsd.org (8.12.9/8.12.9/Submit) id h9KAcnVB037027;
	Mon, 20 Oct 2003 03:38:49 -0700 (PDT)
	(envelope-from tjr)
Message-Id: <200310201038.h9KAcnVB037027@repoman.freebsd.org>
From: "Tim J. Robbins" <tjr@FreeBSD.org>
Date: Mon, 20 Oct 2003 03:38:49 -0700 (PDT)
To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org,
	cvs-all@FreeBSD.org
X-FreeBSD-CVS-Branch: HEAD
Subject: cvs commit: src/sys/compat/svr4 svr4_filio.c svr4_misc.c
 svr4_signal.c svr4_stream.c svr4_sysvec.c svr4_util.h
X-BeenThere: cvs-src@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the src tree <cvs-src.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-src>
List-Post: <mailto:cvs-src@freebsd.org>
List-Help: <mailto:cvs-src-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2003 10:38:50 -0000

tjr         2003/10/20 03:38:49 PDT

  FreeBSD src repository

  Modified files:
    sys/compat/svr4      svr4_filio.c svr4_misc.c svr4_signal.c 
                         svr4_stream.c svr4_sysvec.c svr4_util.h 
  Log:
  Fix some security bugs in the SVR4 emulator:
  - Return NULL instead of returning memory outside of the stackgap
    in stackgap_alloc() (FreeBSD-SA-00:42.linux)
  - Check for stackgap_alloc() returning NULL in svr4_emul_find(),
    and clean_pipe().
  - Avoid integer overflow on large nfds argument in svr4_sys_poll()
  - Reject negative nbytes argument in svr4_sys_getdents()
  - Don't copy out past the end of the struct componentname
    pathname buffer in svr4_sys_resolvepath()
  - Reject out-of-range signal numbers in svr4_sys_sigaction(),
    svr4_sys_signal(), and svr4_sys_kill().
  - Don't malloc() user-specified lengths in show_ioc() and
    show_strbuf(), place arbitrary limits instead.
  - Range-check lengths in si_listen(), ti_getinfo(), ti_bind(),
    svr4_do_putmsg(), svr4_do_getmsg(), svr4_stream_ti_ioctl().
  
  Some fixes obtain from OpenBSD.
  
  Revision  Changes    Path
  1.30      +7 -0      src/sys/compat/svr4/svr4_filio.c
  1.67      +7 -4      src/sys/compat/svr4/svr4_misc.c
  1.29      +12 -2     src/sys/compat/svr4/svr4_signal.c
  1.46      +44 -11    src/sys/compat/svr4/svr4_stream.c
  1.35      +4 -2      src/sys/compat/svr4/svr4_sysvec.c
  1.7       +4 -1      src/sys/compat/svr4/svr4_util.h