Missing or incorrect header sizes bounds check; ``looks ok'' mickey@

2 files changed, 6 insertions, 3 deletions

diff --git a/sys/compat/hpux/hppa/hpux_exec.c b/sys/compat/hpux/hppa/hpux_exec.c
index 3a865e041e1..163ce3dbad8 100644
--- a/sys/compat/hpux/hppa/hpux_exec.c
+++ b/sys/compat/hpux/hppa/hpux_exec.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: hpux_exec.c,v 1.2 2005/03/12 18:38:52 mickey Exp $	*/
+/*	$OpenBSD: hpux_exec.c,v 1.3 2005/12/30 19:46:53 miod Exp $	*/
 
 /*
  * Copyright (c) 2004 Michael Shalayeff.  All rights reserved.
@@ -109,7 +109,7 @@ exec_hpux_makecmds(p, epp)
 	/* XXX read in the aux header if it was not following the som header */
 	if (sysid != MID_HPUX && (!(som_ep->som_version == HPUX_SOM_V0 ||
 	    som_ep->som_version == HPUX_SOM_V1) ||
-	    som_ep->som_auxhdr + sizeof(struct som_aux) < epp->ep_hdrvalid)) {
+	    som_ep->som_auxhdr + sizeof(struct som_aux) > epp->ep_hdrvalid)) {
 		return (error);
 	}
 
diff --git a/sys/compat/hpux/m68k/hpux_exec.c b/sys/compat/hpux/m68k/hpux_exec.c
index 1bad2ef2894..ce5b1d26ec9 100644
--- a/sys/compat/hpux/m68k/hpux_exec.c
+++ b/sys/compat/hpux/m68k/hpux_exec.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: hpux_exec.c,v 1.1 2004/07/09 21:33:45 mickey Exp $	*/
+/*	$OpenBSD: hpux_exec.c,v 1.2 2005/12/30 19:46:55 miod Exp $	*/
 /*	$NetBSD: hpux_exec.c,v 1.8 1997/03/16 10:14:44 thorpej Exp $	*/
 
 /*
@@ -102,6 +102,9 @@ exec_hpux_makecmds(p, epp)
 	short sysid, magic;
 	int error = ENOEXEC;
 
+	if (epp->ep_hdrvalid < sizeof(struct hpux_exec))
+		return (ENOEXEC);
+
 	magic = HPUX_MAGIC(hpux_ep);
 	sysid = HPUX_SYSID(hpux_ep);