From owner-p4-projects@FreeBSD.ORG Sun Feb 20 17:01:38 2011 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 2ABDB1065670; Sun, 20 Feb 2011 17:01:38 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E180F1065674 for ; Sun, 20 Feb 2011 17:01:37 +0000 (UTC) (envelope-from trasz@freebsd.org) Received: from skunkworks.freebsd.org (skunkworks.freebsd.org [IPv6:2001:4f8:fff6::2d]) by mx1.freebsd.org (Postfix) with ESMTP id CF38F8FC13 for ; Sun, 20 Feb 2011 17:01:37 +0000 (UTC) Received: from skunkworks.freebsd.org (localhost [127.0.0.1]) by skunkworks.freebsd.org (8.14.4/8.14.4) with ESMTP id p1KH1b76037560 for ; Sun, 20 Feb 2011 17:01:37 GMT (envelope-from trasz@freebsd.org) Received: (from perforce@localhost) by skunkworks.freebsd.org (8.14.4/8.14.4/Submit) id p1KH1bYU037557 for perforce@freebsd.org; Sun, 20 Feb 2011 17:01:37 GMT (envelope-from trasz@freebsd.org) Date: Sun, 20 Feb 2011 17:01:37 GMT Message-Id: <201102201701.p1KH1bYU037557@skunkworks.freebsd.org> X-Authentication-Warning: skunkworks.freebsd.org: perforce set sender to trasz@freebsd.org using -f From: Edward Tomasz Napierala To: Perforce Change Reviews Precedence: bulk Cc: Subject: PERFORCE change 188976 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Feb 2011 17:01:38 -0000 http://p4web.freebsd.org/@@188976?ac=10 Change 188976 by trasz@trasz_victim on 2011/02/20 17:00:33 Prevent root from crashing the system by adding a rule with too long loginclass name. Affected files ... .. //depot/projects/soc2009/trasz_limits/sys/kern/kern_loginclass.c#30 edit .. //depot/projects/soc2009/trasz_limits/sys/kern/kern_rctl.c#33 edit Differences ... ==== //depot/projects/soc2009/trasz_limits/sys/kern/kern_loginclass.c#30 (text+ko) ==== @@ -113,8 +113,8 @@ { struct loginclass *lc, *newlc; - KASSERT(strlen(name) <= MAXLOGNAME - 1, - ("loginclass_find: got too long name")); + if (strlen(name) > MAXLOGNAME - 1) + return (NULL); newlc = malloc(sizeof(*newlc), M_LOGINCLASS, M_ZERO | M_WAITOK); container_create(&newlc->lc_container); @@ -200,6 +200,7 @@ newcred = crget(); newlc = loginclass_find(lcname); + KASSERT(newlc != NULL, ("loginclass_find() failed")); PROC_LOCK(p); oldcred = crcopysafe(p, newcred); ==== //depot/projects/soc2009/trasz_limits/sys/kern/kern_rctl.c#33 (text+ko) ==== @@ -837,6 +837,10 @@ case RCTL_SUBJECT_TYPE_LOGINCLASS: rule->rr_subject.hr_loginclass = loginclass_find(subject_idstr); + if (rule->rr_subject.hr_loginclass == NULL) { + error = ENAMETOOLONG; + goto out; + } break; case RCTL_SUBJECT_TYPE_JAIL: rule->rr_subject.rs_prison =