Date: Tue, 26 Jul 2011 18:59:38 +0000 (UTC) From: Jaakko Heinonen <jh@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org Subject: svn commit: r224458 - stable/7/sys/kern Message-ID: <201107261859.p6QIxcf7022266@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jh Date: Tue Jul 26 18:59:38 2011 New Revision: 224458 URL: http://svn.freebsd.org/changeset/base/224458 Log: MFC r222216: In init_dynamic_kenv(), ignore environment strings exceeding the KENV_MNAMELEN + 1 + KENV_MVALLEN + 1 length limit to avoid buffer overflow in getenv(). Currenly loader(8) doesn't limit the length of environment strings. PR: kern/132104 Modified: stable/7/sys/kern/kern_environment.c Directory Properties: stable/7/sys/ (props changed) stable/7/sys/cddl/contrib/opensolaris/ (props changed) stable/7/sys/contrib/dev/acpica/ (props changed) stable/7/sys/contrib/pf/ (props changed) Modified: stable/7/sys/kern/kern_environment.c ============================================================================== --- stable/7/sys/kern/kern_environment.c Tue Jul 26 17:39:40 2011 (r224457) +++ stable/7/sys/kern/kern_environment.c Tue Jul 26 18:59:38 2011 (r224458) @@ -217,13 +217,19 @@ static void init_dynamic_kenv(void *data __unused) { char *cp; - int len, i; + size_t len; + int i; kenvp = malloc((KENV_SIZE + 1) * sizeof(char *), M_KENV, M_WAITOK | M_ZERO); i = 0; for (cp = kern_envp; cp != NULL; cp = kernenv_next(cp)) { len = strlen(cp) + 1; + if (len > KENV_MNAMELEN + 1 + KENV_MVALLEN + 1) { + printf("WARNING: too long kenv string, ignoring %s\n", + cp); + continue; + } if (i < KENV_SIZE) { kenvp[i] = malloc(len, M_KENV, M_WAITOK); strcpy(kenvp[i++], cp);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201107261859.p6QIxcf7022266>