diff options
author | Damien Miller <djm@cvs.openbsd.org> | 2006-10-06 05:47:28 +0000 |
---|---|---|
committer | Damien Miller <djm@cvs.openbsd.org> | 2006-10-06 05:47:28 +0000 |
commit | 2b7f5f9782552858d18e8cb2db17c4f83fce8287 (patch) | |
tree | 13a1b133e2f915f0776715367a30134d2f5a99b0 /sys/dev | |
parent | 117ba46a42fdd3ef936a5bfbe2d62ae225236355 (diff) |
fix an exploitable integer overflow found by Chris Evans of Google
Security; ok deraadt
Diffstat (limited to 'sys/dev')
-rw-r--r-- | sys/dev/systrace.c | 17 | ||||
-rw-r--r-- | sys/dev/systrace.h | 3 |
2 files changed, 16 insertions, 4 deletions
diff --git a/sys/dev/systrace.c b/sys/dev/systrace.c index 82767fed48a..3620497433f 100644 --- a/sys/dev/systrace.c +++ b/sys/dev/systrace.c @@ -1,4 +1,4 @@ -/* $OpenBSD: systrace.c,v 1.42 2006/05/28 17:06:38 pedro Exp $ */ +/* $OpenBSD: systrace.c,v 1.43 2006/10/06 05:47:27 djm Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -1359,9 +1359,16 @@ systrace_preprepl(struct str_process *strp, struct systrace_replace *repl) return (EINVAL); for (i = 0, len = 0; i < repl->strr_nrepl; i++) { - len += repl->strr_offlen[i]; + if (repl->strr_argind[i] < 0 || + repl->strr_argind[i] >= SYSTR_MAXARGS) + return (EINVAL); if (repl->strr_offlen[i] == 0) continue; + len += repl->strr_offlen[i]; + if (repl->strr_offlen[i] > SYSTR_MAXREPLEN || + repl->strr_off[i] > SYSTR_MAXREPLEN || + len > SYSTR_MAXREPLEN) + return (EINVAL); if (repl->strr_offlen[i] + repl->strr_off[i] > len) return (EINVAL); } @@ -1371,7 +1378,7 @@ systrace_preprepl(struct str_process *strp, struct systrace_replace *repl) return (EINVAL); /* Check against a maximum length */ - if (repl->strr_len > 2048) + if (repl->strr_len > SYSTR_MAXREPLEN) return (EINVAL); strp->replace = (struct systrace_replace *) @@ -1406,6 +1413,10 @@ systrace_replace(struct str_process *strp, size_t argsize, register_t args[]) maxarg = argsize/sizeof(register_t); ubase = stackgap_alloc(&strp->sg, repl->strr_len); + if (ubase == NULL) { + ret = EINVAL; + goto out; + } kbase = repl->strr_base; for (i = 0; i < maxarg && i < repl->strr_nrepl; i++) { diff --git a/sys/dev/systrace.h b/sys/dev/systrace.h index 741ee0106c9..4317bf9bb57 100644 --- a/sys/dev/systrace.h +++ b/sys/dev/systrace.h @@ -1,4 +1,4 @@ -/* $OpenBSD: systrace.h,v 1.19 2006/05/23 22:28:22 alek Exp $ */ +/* $OpenBSD: systrace.h,v 1.20 2006/10/06 05:47:27 djm Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -54,6 +54,7 @@ struct str_msg_execve { #define SYSTR_MAXARGS 64 #define SYSTR_MAXFNAME 8 #define SYSTR_MAXINJECTS 8 +#define SYSTR_MAXREPLEN 2048 struct str_msg_ask { int code; |