From owner-svn-src-all@freebsd.org Mon May 15 14:41:48 2017 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F2267D6E93D; Mon, 15 May 2017 14:41:48 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C21811E12; Mon, 15 May 2017 14:41:48 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v4FEflkt059640; Mon, 15 May 2017 14:41:47 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v4FEflD1059639; Mon, 15 May 2017 14:41:47 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201705151441.v4FEflD1059639@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Mon, 15 May 2017 14:41:47 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r318293 - stable/11/sys/kern X-SVN-Group: stable-11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 May 2017 14:41:49 -0000 Author: emaste Date: Mon May 15 14:41:47 2017 New Revision: 318293 URL: https://svnweb.freebsd.org/changeset/base/318293 Log: MFC r315685: tighten buffer bounds in imgact_binmisc_populate_interp We must ensure there's space for the terminating null in the temporary buffer in imgact_binmisc_populate_interp(). Note that there's no buffer overflow here because xbe->xbe_interpreter's length and null termination is checked in imgact_binmisc_add_entry() before imgact_binmisc_populate_interp() is called. However, the latter should correctly enforce its own bounds. Sponsored by: The FreeBSD Foundation Modified: stable/11/sys/kern/imgact_binmisc.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/kern/imgact_binmisc.c ============================================================================== --- stable/11/sys/kern/imgact_binmisc.c Mon May 15 14:23:53 2017 (r318292) +++ stable/11/sys/kern/imgact_binmisc.c Mon May 15 14:41:47 2017 (r318293) @@ -120,7 +120,7 @@ imgact_binmisc_populate_interp(char *str sp = str; tp = t; while (*sp != '\0') { if (*sp == ' ' || *sp == '\t') { - if (++len > IBE_INTERP_LEN_MAX) + if (++len >= IBE_INTERP_LEN_MAX) break; *tp++ = ' '; argc++;