diff options
| author | Ted Unangst <tedu@cvs.openbsd.org> | 2003-11-17 16:18:29 +0000 |
|---|---|---|
| committer | Ted Unangst <tedu@cvs.openbsd.org> | 2003-11-17 16:18:29 +0000 |
| commit | 6eeab970345ef543887b0cda91aca10c0a2817c2 (patch) | |
| tree | ee9b50c7103bc2c7c0721924e36494ee5c1e7c03 | |
| parent | 80bb912df8e6e6f488a2f88c503b929d18809151 (diff) | |
add a missing bounds check that allowed a stack overrun. reported by
Georgi Guninski. also prevent an int overflow. ok millert@
| -rw-r--r-- | sys/compat/ibcs2/ibcs2_exec.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/sys/compat/ibcs2/ibcs2_exec.c b/sys/compat/ibcs2/ibcs2_exec.c index db3e77fd42b..66f17b47051 100644 --- a/sys/compat/ibcs2/ibcs2_exec.c +++ b/sys/compat/ibcs2/ibcs2_exec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ibcs2_exec.c,v 1.15 2003/11/03 19:58:22 tedu Exp $ */ +/* $OpenBSD: ibcs2_exec.c,v 1.16 2003/11/17 16:18:28 tedu Exp $ */ /* $NetBSD: ibcs2_exec.c,v 1.12 1996/10/12 02:13:52 thorpej Exp $ */ /* @@ -425,11 +425,14 @@ n */ size_t resid; struct coff_slhdr *slhdr; char buf[128], *bufp; /* FIXME */ - int len = sh.s_size, path_index, entry_len; + unsigned int len = sh.s_size, path_index, entry_len; /* DPRINTF(("COFF shlib size %d offset %d\n", sh.s_size, sh.s_scnptr)); */ + if (len > sizeof(buf)) + return (ENOEXEC); + error = vn_rdwr(UIO_READ, epp->ep_vp, (caddr_t) buf, len, sh.s_scnptr, UIO_SYSSPACE, IO_NODELOCKED, p->p_ucred, @@ -447,6 +450,9 @@ n */ /* DPRINTF(("path_index: %d entry_len: %d name: %s\n", path_index, entry_len, slhdr->sl_name)); */ + if (entry_len > len) + return (ENOEXEC); + error = coff_load_shlib(p, slhdr->sl_name, epp); if (error) return ENOEXEC; |