From owner-cvs-src@FreeBSD.ORG  Wed Dec  1 22:51:45 2004
Return-Path: <owner-cvs-src@FreeBSD.ORG>
Delivered-To: cvs-src@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 734E316A4CE; Wed,  1 Dec 2004 22:51:45 +0000 (GMT)
Received: from darkness.comp.waw.pl (darkness.comp.waw.pl [195.117.238.136])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id E333543D41; Wed,  1 Dec 2004 22:51:44 +0000 (GMT)
	(envelope-from pjd@darkness.comp.waw.pl)
Received: by darkness.comp.waw.pl (Postfix, from userid 1009)
	id 77B0EAC942; Wed,  1 Dec 2004 23:51:41 +0100 (CET)
Date: Wed, 1 Dec 2004 23:51:41 +0100
From: Pawel Jakub Dawidek <pjd@FreeBSD.org>
To: Colin Percival <cperciva@FreeBSD.org>
Message-ID: <20041201225141.GA813@darkness.comp.waw.pl>
References: <200412012133.iB1LX2JC019417@repoman.freebsd.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="wac7ysb48OaltWcw"
Content-Disposition: inline
In-Reply-To: <200412012133.iB1LX2JC019417@repoman.freebsd.org>
User-Agent: Mutt/1.4.2i
X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc
X-OS: FreeBSD 5.2.1-RC2 i386
cc: cvs-src@FreeBSD.org
cc: src-committers@FreeBSD.org
cc: cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/sys/compat/linprocfs linprocfs.c
	src/sys/fs/procfs procfs_status.c
X-BeenThere: cvs-src@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the src tree <cvs-src.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-src>
List-Post: <mailto:cvs-src@freebsd.org>
List-Help: <mailto:cvs-src-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2004 22:51:45 -0000


--wac7ysb48OaltWcw
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Dec 01, 2004 at 09:33:02PM +0000, Colin Percival wrote:
+> cperciva    2004-12-01 21:33:02 UTC
+>=20
+>   FreeBSD src repository
+>=20
+>   Modified files:
+>     sys/compat/linprocfs linprocfs.c=20
+>     sys/fs/procfs        procfs_status.c=20
+>   Log:
+>   Fix unvalidated pointer dereference.  This is FreeBSD-SA-04:17.procfs.
[...]
+> @@ -794,10 +795,21 @@ linprocfs_doproccmdline(PFS_FILL_ARGS)
+>  		    sizeof(pstr));
+>  		if (error)
+>  			return (error);
+> +		if (pstr.ps_nargvstr > ARG_MAX)
+> +			return (E2BIG);
+> +		ps_argvstr =3D malloc(pstr.ps_nargvstr * sizeof(char *),
+> +		    M_TEMP, M_WAITOK);
+> +		error =3D copyin((void *)pstr.ps_argvstr, ps_argvstr,
+> +		    pstr.ps_nargvstr * sizeof(char *));
+> +		if (error) {
+> +			free(ps_argvstr, M_TEMP);
+> +			return (error);
+> +		}
+>  		for (i =3D 0; i < pstr.ps_nargvstr; i++) {
+> -			sbuf_copyin(sb, pstr.ps_argvstr[i], 0);
+> +			sbuf_copyin(sb, ps_argvstr[i], 0);
+>  			sbuf_printf(sb, "%c", '\0');
+>  		}
+> +		free(ps_argvstr, M_TEMP);

BTW. Why we don't check sbuf_copyin() return value here?

--=20
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd@FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!

--wac7ysb48OaltWcw
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFBrkr9ForvXbEpPzQRAiYvAKC5fn2LdkUmuK8SsuEFugpYUYMDgwCgpYVw
ngrBdQIMen8N7PC5+IPWIFk=
=v/zt
-----END PGP SIGNATURE-----

--wac7ysb48OaltWcw--