From owner-cvs-src@FreeBSD.ORG Wed Dec 1 22:51:45 2004 Return-Path: Delivered-To: cvs-src@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 734E316A4CE; Wed, 1 Dec 2004 22:51:45 +0000 (GMT) Received: from darkness.comp.waw.pl (darkness.comp.waw.pl [195.117.238.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id E333543D41; Wed, 1 Dec 2004 22:51:44 +0000 (GMT) (envelope-from pjd@darkness.comp.waw.pl) Received: by darkness.comp.waw.pl (Postfix, from userid 1009) id 77B0EAC942; Wed, 1 Dec 2004 23:51:41 +0100 (CET) Date: Wed, 1 Dec 2004 23:51:41 +0100 From: Pawel Jakub Dawidek To: Colin Percival Message-ID: <20041201225141.GA813@darkness.comp.waw.pl> References: <200412012133.iB1LX2JC019417@repoman.freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="wac7ysb48OaltWcw" Content-Disposition: inline In-Reply-To: <200412012133.iB1LX2JC019417@repoman.freebsd.org> User-Agent: Mutt/1.4.2i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 5.2.1-RC2 i386 cc: cvs-src@FreeBSD.org cc: src-committers@FreeBSD.org cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/compat/linprocfs linprocfs.c src/sys/fs/procfs procfs_status.c X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Dec 2004 22:51:45 -0000 --wac7ysb48OaltWcw Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Dec 01, 2004 at 09:33:02PM +0000, Colin Percival wrote: +> cperciva 2004-12-01 21:33:02 UTC +>=20 +> FreeBSD src repository +>=20 +> Modified files: +> sys/compat/linprocfs linprocfs.c=20 +> sys/fs/procfs procfs_status.c=20 +> Log: +> Fix unvalidated pointer dereference. This is FreeBSD-SA-04:17.procfs. [...] +> @@ -794,10 +795,21 @@ linprocfs_doproccmdline(PFS_FILL_ARGS) +> sizeof(pstr)); +> if (error) +> return (error); +> + if (pstr.ps_nargvstr > ARG_MAX) +> + return (E2BIG); +> + ps_argvstr =3D malloc(pstr.ps_nargvstr * sizeof(char *), +> + M_TEMP, M_WAITOK); +> + error =3D copyin((void *)pstr.ps_argvstr, ps_argvstr, +> + pstr.ps_nargvstr * sizeof(char *)); +> + if (error) { +> + free(ps_argvstr, M_TEMP); +> + return (error); +> + } +> for (i =3D 0; i < pstr.ps_nargvstr; i++) { +> - sbuf_copyin(sb, pstr.ps_argvstr[i], 0); +> + sbuf_copyin(sb, ps_argvstr[i], 0); +> sbuf_printf(sb, "%c", '\0'); +> } +> + free(ps_argvstr, M_TEMP); BTW. Why we don't check sbuf_copyin() return value here? --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --wac7ysb48OaltWcw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFBrkr9ForvXbEpPzQRAiYvAKC5fn2LdkUmuK8SsuEFugpYUYMDgwCgpYVw ngrBdQIMen8N7PC5+IPWIFk= =v/zt -----END PGP SIGNATURE----- --wac7ysb48OaltWcw--