Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-1-4]: src/sys/compat/ibcs2 Pull up revision 1.52 (requested by si...
details: https://anonhg.NetBSD.org/src/rev/05ada5f28ce4
branches: netbsd-1-4
changeset: 470887:05ada5f28ce4
user: he <he%NetBSD.org@localhost>
date: Sat Sep 09 15:53:59 2000 +0000
description:
Pull up revision 1.52 (requested by simonb):
More carefully check length of user-supplied data, in particular
make sure we don't overrun the available stack gap in stack gap
allocations.
diffstat:
sys/compat/ibcs2/ibcs2_misc.c | 62 +++++++++++++++++++++++++++---------------
1 files changed, 39 insertions(+), 23 deletions(-)
diffs (117 lines):
diff -r aa72fd65c739 -r 05ada5f28ce4 sys/compat/ibcs2/ibcs2_misc.c
--- a/sys/compat/ibcs2/ibcs2_misc.c Sat Sep 09 15:53:35 2000 +0000
+++ b/sys/compat/ibcs2/ibcs2_misc.c Sat Sep 09 15:53:59 2000 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ibcs2_misc.c,v 1.40 1999/02/09 20:22:37 christos Exp $ */
+/* $NetBSD: ibcs2_misc.c,v 1.40.2.1 2000/09/09 15:53:59 he Exp $ */
/*
* Copyright (c) 1994, 1995, 1998 Scott Bartram
@@ -618,27 +618,39 @@
syscallarg(ibcs2_gid_t *) gidset;
} */ *uap = v;
int error, i;
- ibcs2_gid_t *iset = NULL;
+ ibcs2_gid_t iset[NGROUPS_MAX];
+ gid_t nset[NGROUPS_MAX];
struct sys_getgroups_args sa;
- gid_t *gp;
+ int gidsetsize;
caddr_t sg = stackgap_init(p->p_emul);
- SCARG(&sa, gidsetsize) = SCARG(uap, gidsetsize);
- if (SCARG(uap, gidsetsize)) {
+ gidsetsize = SCARG(uap, gidsetsize);
+ if (gidsetsize > NGROUPS_MAX)
+ return EINVAL;
+
+ SCARG(&sa, gidsetsize) = gidsetsize;
+
+ if (gidsetsize) {
SCARG(&sa, gidset) = stackgap_alloc(&sg, NGROUPS_MAX *
sizeof(gid_t *));
- iset = stackgap_alloc(&sg, SCARG(uap, gidsetsize) *
- sizeof(ibcs2_gid_t));
}
if ((error = sys_getgroups(p, &sa, retval)) != 0)
return error;
- for (i = 0, gp = SCARG(&sa, gidset); i < retval[0]; i++)
- iset[i] = (ibcs2_gid_t)*gp++;
- if (retval[0] && (error = copyout((caddr_t)iset,
- (caddr_t)SCARG(uap, gidset),
- sizeof(ibcs2_gid_t) * retval[0])))
- return error;
- return 0;
+ if (gidsetsize) {
+ gidsetsize = retval[0];
+ if (gidsetsize < 0)
+ gidsetsize = 0;
+ error = copyin((caddr_t)SCARG(&sa, gidset), (caddr_t)nset,
+ sizeof(gid_t) * gidsetsize);
+ if (error)
+ return error;
+ for (i = 0; i < gidsetsize; i++)
+ iset[i] = (ibcs2_gid_t)nset[i];
+ error = copyout((caddr_t)iset,
+ (caddr_t)SCARG(uap, gidset),
+ sizeof(ibcs2_gid_t) * retval[0]);
+ }
+ return error;
}
int
@@ -652,24 +664,28 @@
syscallarg(ibcs2_gid_t *) gidset;
} */ *uap = v;
int error, i;
- ibcs2_gid_t *iset;
+ ibcs2_gid_t iset[NGROUPS_MAX];
struct sys_setgroups_args sa;
- gid_t *gp;
+ gid_t gp[NGROUPS_MAX], *ngid;
caddr_t sg = stackgap_init(p->p_emul);
SCARG(&sa, gidsetsize) = SCARG(uap, gidsetsize);
- gp = stackgap_alloc(&sg, SCARG(&sa, gidsetsize) * sizeof(gid_t *));
- iset = stackgap_alloc(&sg, SCARG(&sa, gidsetsize) *
- sizeof(ibcs2_gid_t *));
+ if (SCARG(uap, gidsetsize) > NGROUPS_MAX)
+ return EINVAL;
+
if (SCARG(&sa, gidsetsize)) {
error = copyin((caddr_t)SCARG(uap, gidset), (caddr_t)iset,
- sizeof(ibcs2_gid_t *) * SCARG(uap, gidsetsize));
+ sizeof(ibcs2_gid_t) * SCARG(uap, gidsetsize));
if (error)
return error;
}
for (i = 0; i < SCARG(&sa, gidsetsize); i++)
gp[i]= (gid_t)iset[i];
- SCARG(&sa, gidset) = gp;
+ ngid = stackgap_alloc(&sg, NGROUPS_MAX * sizeof(gid_t));
+ error = copyout(gp, ngid, SCARG(&sa, gidsetsize) * sizeof(gid_t));
+ if (error)
+ return error;
+ SCARG(&sa, gidset) = ngid;
return sys_setgroups(p, &sa, retval);
}
@@ -1007,8 +1023,9 @@
int error;
struct sys_utimes_args sa;
struct timeval *tp;
+
caddr_t sg = stackgap_init(p->p_emul);
-
+ tp = stackgap_alloc(&sg, 2 * sizeof(struct timeval *));
IBCS2_CHECK_ALT_EXIST(p, &sg, SCARG(uap, path));
SCARG(&sa, path) = SCARG(uap, path);
if (SCARG(uap, buf)) {
@@ -1018,7 +1035,6 @@
sizeof(ubuf));
if (error)
return error;
- tp = stackgap_alloc(&sg, 2 * sizeof(struct timeval *));
tp[0].tv_sec = ubuf.actime;
tp[0].tv_usec = 0;
tp[1].tv_sec = ubuf.modtime;
Home |
Main Index |
Thread Index |
Old Index