Date: Sun, 6 Mar 2011 16:14:03 -0500 From: "Devon H. O'Dell" <devon.odell@gmail.com> To: FreeBSD-gnats-submit@freebsd.org, freebsd-bugs@freebsd.org Subject: Re: kern/155321: imgact_shell integer underflow when argv[0] is longer than interp + path Message-ID: <AANLkTinQqtBD1ANhjs6P3gb5EJL4MhPUcLiPfo%2BmpNEX@mail.gmail.com> In-Reply-To: <201103062000.p26K0InG097407@freefall.freebsd.org> References: <201103061956.p26JutYe064887@red.freebsd.org> <201103062000.p26K0InG097407@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Actually, kib@ points out that this isn't quite correct; the correct
fix should indeed be a 1-liner, attached.
--dho
[-- Attachment #2 --]
Index: sys/kern/imgact_shell.c
===================================================================
--- sys/kern/imgact_shell.c (revision 219345)
+++ sys/kern/imgact_shell.c (working copy)
@@ -195,7 +195,7 @@
length = (imgp->args->argc == 0) ? 0 :
strlen(imgp->args->begin_argv) + 1; /* bytes to delete */
- if (offset - length > imgp->args->stringspace) {
+ if (offset > length && offset - length > imgp->args->stringspace) {
if (sname != NULL)
sbuf_delete(sname);
return (E2BIG);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTinQqtBD1ANhjs6P3gb5EJL4MhPUcLiPfo%2BmpNEX>