Date: Fri, 22 Jul 2016 03:09:47 +0000 (UTC) From: Sean Bruno <sbruno@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r303173 - stable/10/sys/nlm Message-ID: <201607220309.u6M39loU074550@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: sbruno Date: Fri Jul 22 03:09:47 2016 New Revision: 303173 URL: https://svnweb.freebsd.org/changeset/base/303173 Log: MFC r298351 Avoid a possible heap overflow in our nlm code by limiting the number of service to the arbitrary value of 256. Log an appropriate message that indicates the hard limit. Modified: stable/10/sys/nlm/nlm_prot_impl.c Modified: stable/10/sys/nlm/nlm_prot_impl.c ============================================================================== --- stable/10/sys/nlm/nlm_prot_impl.c Fri Jul 22 03:03:52 2016 (r303172) +++ stable/10/sys/nlm/nlm_prot_impl.c Fri Jul 22 03:09:47 2016 (r303173) @@ -1439,6 +1439,12 @@ nlm_register_services(SVCPOOL *pool, int return (EINVAL); } + if (addr_count < 0 || addr_count > 256 ) { + NLM_ERR("NLM: too many service addresses (%d) given, " + "max 256 - can't start server\n", addr_count); + return (EINVAL); + } + xprts = malloc(addr_count * sizeof(SVCXPRT *), M_NLM, M_WAITOK|M_ZERO); for (i = 0; i < version_count; i++) { for (j = 0; j < addr_count; j++) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201607220309.u6M39loU074550>