From 7e2ce9013f05c75e01cb40373c07987f0ef38c18 Mon Sep 17 00:00:00 2001
From: Philip Guenthe <guenther@cvs.openbsd.org>
Date: Tue, 29 Jun 2010 16:39:24 +0000
Subject: Fail instead of lying if a process asks sysctl()'s KERN_PROC2 or
 KERN_FILE2 (or their libkvm wrappers) for more information than the running
 implementation knows how to provide.

ok millert@ deraadt@
---
 lib/libkvm/kvm_file2.c | 7 ++++++-
 lib/libkvm/kvm_proc2.c | 8 +++++++-
 sys/kern/kern_sysctl.c | 7 ++++---
 3 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/lib/libkvm/kvm_file2.c b/lib/libkvm/kvm_file2.c
index 0df59df095a..2af3d7702fa 100644
--- a/lib/libkvm/kvm_file2.c
+++ b/lib/libkvm/kvm_file2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kvm_file2.c,v 1.14 2010/01/10 03:37:50 guenther Exp $	*/
+/*	$OpenBSD: kvm_file2.c,v 1.15 2010/06/29 16:39:23 guenther Exp $	*/
 
 /*
  * Copyright (c) 2009 Todd C. Miller <Todd.Miller@courtesan.com>
@@ -172,6 +172,11 @@ kvm_getfile2(kvm_t *kd, int op, int arg, size_t esize, int *cnt)
 		*cnt = size / esize;
 		return ((struct kinfo_file2 *)kd->filebase);
 	} else {
+		if (esize > sizeof(struct kinfo_file2)) {
+			_kvm_syserr(kd, kd->program,
+			    "kvm_getfile2: unknown fields requested: libkvm out of date?");
+			return (NULL);
+		}
 	    deadway:
 		switch (op) {
 		case KERN_FILE_BYFILE:
diff --git a/lib/libkvm/kvm_proc2.c b/lib/libkvm/kvm_proc2.c
index 7e3fb8b863b..00e7f774dec 100644
--- a/lib/libkvm/kvm_proc2.c
+++ b/lib/libkvm/kvm_proc2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kvm_proc2.c,v 1.1 2010/01/10 03:37:50 guenther Exp $	*/
+/*	$OpenBSD: kvm_proc2.c,v 1.2 2010/06/29 16:39:23 guenther Exp $	*/
 /*	$NetBSD: kvm_proc.c,v 1.30 1999/03/24 05:50:50 mrg Exp $	*/
 /*-
  * Copyright (c) 1998 The NetBSD Foundation, Inc.
@@ -330,6 +330,12 @@ kvm_getproc2(kvm_t *kd, int op, int arg, size_t esize, int *cnt)
 		struct proc *p;
 		char *bp;
 
+		if (esize > sizeof(struct kinfo_proc2)) {
+			_kvm_syserr(kd, kd->program,
+			    "kvm_getproc2: unknown fields requested: libkvm out of date?");
+			return (NULL);
+		}
+
 		memset(nl, 0, sizeof(nl));
 		nl[0].n_name = "_nprocs";
 		nl[1].n_name = "_allproc";
diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c
index 125e8334668..401280e5101 100644
--- a/sys/kern/kern_sysctl.c
+++ b/sys/kern/kern_sysctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_sysctl.c,v 1.185 2010/06/29 00:28:14 tedu Exp $	*/
+/*	$OpenBSD: kern_sysctl.c,v 1.186 2010/06/29 16:39:22 guenther Exp $	*/
 /*	$NetBSD: kern_sysctl.c,v 1.17 1996/05/20 17:49:05 mrg Exp $	*/
 
 /*-
@@ -1198,7 +1198,7 @@ sysctl_file2(int *name, u_int namelen, char *where, size_t *sizep,
 
 	if (namelen > 4)
 		return (ENOTDIR);
-	if (namelen < 4)
+	if (namelen < 4 || name[2] > sizeof(*kf))
 		return (EINVAL);
 
 	buflen = where != NULL ? *sizep : 0;
@@ -1352,7 +1352,8 @@ sysctl_doproc(int *name, u_int namelen, char *where, size_t *sizep)
 		elem_size = elem_count = 0;
 		eproc = malloc(sizeof(struct eproc), M_TEMP, M_WAITOK);
 	} else /* if (type == KERN_PROC2) */ {
-		if (namelen != 5 || name[3] < 0 || name[4] < 0)
+		if (namelen != 5 || name[3] < 0 || name[4] < 0 ||
+		    name[3] > sizeof(*kproc2))
 			return (EINVAL);
 		op = name[1];
 		arg = name[2];
-- 
cgit v1.2.3