diff options
| author | mmcc <mmcc@cvs.openbsd.org> | 2015-12-31 18:55:34 +0000 |
|---|---|---|
| committer | mmcc <mmcc@cvs.openbsd.org> | 2015-12-31 18:55:34 +0000 |
| commit | c6cc41ea7b598b1ca253c1b915d06494bd321306 (patch) | |
| tree | 6bfba941a679393d41dae66f53d7ab9d136fa673 /sys/kern | |
| parent | 1ab79f0ee555dd665cab050f464760c62679253f (diff) | |
NULL-terminate a pointer array to prevent an invalid free, and simplify
the associated pointer incrementing logic.
Reported by Maxim Pugachev. Looks good to tedu@
Diffstat (limited to 'sys/kern')
| -rw-r--r-- | sys/kern/exec_script.c | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/sys/kern/exec_script.c b/sys/kern/exec_script.c index d99c05b1153..214c5566430 100644 --- a/sys/kern/exec_script.c +++ b/sys/kern/exec_script.c @@ -1,4 +1,4 @@ -/* $OpenBSD: exec_script.c,v 1.36 2015/09/10 18:10:35 deraadt Exp $ */ +/* $OpenBSD: exec_script.c,v 1.37 2015/12/31 18:55:33 mmcc Exp $ */ /* $NetBSD: exec_script.c,v 1.13 1996/02/04 02:15:06 christos Exp $ */ /* @@ -208,24 +208,25 @@ check_shell: #if NSYSTRACE > 0 if (ISSET(p->p_flag, P_SYSTRACE)) { error = systrace_scriptname(p, *tmpsap); - if (error == 0) - tmpsap++; - else + if (error != 0) /* * Since systrace_scriptname() provides a * convenience, not a security issue, we are * safe to do this. */ - error = copystr(epp->ep_name, *tmpsap++, + error = copystr(epp->ep_name, *tmpsap, MAXPATHLEN, NULL); } else #endif - error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN, + error = copyinstr(epp->ep_name, *tmpsap, MAXPATHLEN, NULL); - if (error != 0) + if (error != 0) { + *(tmpsap + 1) = NULL; goto fail; + } } else - snprintf(*tmpsap++, MAXPATHLEN, "/dev/fd/%d", epp->ep_fd); + snprintf(*tmpsap, MAXPATHLEN, "/dev/fd/%d", epp->ep_fd); + tmpsap++; *tmpsap = NULL; /* |