diff options
| -rw-r--r-- | sys/compat/ibcs2/ibcs2_exec.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/sys/compat/ibcs2/ibcs2_exec.c b/sys/compat/ibcs2/ibcs2_exec.c index db3e77fd42b..66f17b47051 100644 --- a/sys/compat/ibcs2/ibcs2_exec.c +++ b/sys/compat/ibcs2/ibcs2_exec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ibcs2_exec.c,v 1.15 2003/11/03 19:58:22 tedu Exp $ */ +/* $OpenBSD: ibcs2_exec.c,v 1.16 2003/11/17 16:18:28 tedu Exp $ */ /* $NetBSD: ibcs2_exec.c,v 1.12 1996/10/12 02:13:52 thorpej Exp $ */ /* @@ -425,11 +425,14 @@ n */ size_t resid; struct coff_slhdr *slhdr; char buf[128], *bufp; /* FIXME */ - int len = sh.s_size, path_index, entry_len; + unsigned int len = sh.s_size, path_index, entry_len; /* DPRINTF(("COFF shlib size %d offset %d\n", sh.s_size, sh.s_scnptr)); */ + if (len > sizeof(buf)) + return (ENOEXEC); + error = vn_rdwr(UIO_READ, epp->ep_vp, (caddr_t) buf, len, sh.s_scnptr, UIO_SYSSPACE, IO_NODELOCKED, p->p_ucred, @@ -447,6 +450,9 @@ n */ /* DPRINTF(("path_index: %d entry_len: %d name: %s\n", path_index, entry_len, slhdr->sl_name)); */ + if (entry_len > len) + return (ENOEXEC); + error = coff_load_shlib(p, slhdr->sl_name, epp); if (error) return ENOEXEC; |