Date: Fri, 22 Apr 2016 21:59:14 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 208985] DoS / heap overflow in bpf_stats_sysctl Message-ID: <bug-208985-8-oA3fTDki6A@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-208985-8@https.bugs.freebsd.org/bugzilla/> References: <bug-208985-8@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208985 --- Comment #1 from CTurt <cturt@hardenedbsd.org> --- To fix this bug, there should be a bound check on `req->oldlen` before calling `malloc`, such as the following: if (req->oldptr == NULL) return (SYSCTL_OUT(req, 0, bpf_bpfd_cnt * sizeof(*xbd))); if (bpf_bpfd_cnt == 0) return (SYSCTL_OUT(req, 0, 0)); + if (req->oldlen > 0x1000) + return EINVAL; xbdbuf = malloc(req->oldlen, M_BPF, M_WAITOK); -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-208985-8-oA3fTDki6A>