Date: Mon, 23 May 2011 16:40:44 +0000 (UTC) From: Jaakko Heinonen <jh@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r222216 - head/sys/kern Message-ID: <201105231640.p4NGeiX3029555@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jh Date: Mon May 23 16:40:44 2011 New Revision: 222216 URL: http://svn.freebsd.org/changeset/base/222216 Log: In init_dynamic_kenv(), ignore environment strings exceeding the KENV_MNAMELEN + 1 + KENV_MVALLEN + 1 length limit to avoid buffer overflow in getenv(). Currenly loader(8) doesn't limit the length of environment strings. PR: kern/132104 MFC after: 1 month Modified: head/sys/kern/kern_environment.c Modified: head/sys/kern/kern_environment.c ============================================================================== --- head/sys/kern/kern_environment.c Mon May 23 15:23:18 2011 (r222215) +++ head/sys/kern/kern_environment.c Mon May 23 16:40:44 2011 (r222216) @@ -225,13 +225,19 @@ static void init_dynamic_kenv(void *data __unused) { char *cp; - int len, i; + size_t len; + int i; kenvp = malloc((KENV_SIZE + 1) * sizeof(char *), M_KENV, M_WAITOK | M_ZERO); i = 0; for (cp = kern_envp; cp != NULL; cp = kernenv_next(cp)) { len = strlen(cp) + 1; + if (len > KENV_MNAMELEN + 1 + KENV_MVALLEN + 1) { + printf("WARNING: too long kenv string, ignoring %s\n", + cp); + continue; + } if (i < KENV_SIZE) { kenvp[i] = malloc(len, M_KENV, M_WAITOK); strcpy(kenvp[i++], cp);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201105231640.p4NGeiX3029555>