FreeBSD Bugzilla – Attachment 16423 Details for
Bug 30112
Inadequate validation of kernel message buffer (msgbufp)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
file.diff
file.diff (text/plain), 934 bytes, created by
peter.jeremy
on 2001-08-26 22:20:00 UTC
(
hide
)
Description:
file.diff
Filename:
MIME Type:
Creator:
peter.jeremy
Created:
2001-08-26 22:20:00 UTC
Size:
934 bytes
patch
obsolete
>Index: subr_prf.c >=================================================================== >RCS file: /usr/ncvs/src/sys/kern/subr_prf.c,v >retrieving revision 1.61.2.2 >diff -u -r1.61.2.2 subr_prf.c >--- subr_prf.c 2001/08/08 22:31:16 1.61.2.2 >+++ subr_prf.c 2001/08/26 04:45:47 >@@ -836,13 +836,17 @@ > { > char *cp; > static struct msgbuf *oldp = NULL; >+ unsigned int msg_size; > > cp = (char *)ptr; > msgbufp = (struct msgbuf *) (cp + size - sizeof(*msgbufp)); >- if (msgbufp->msg_magic != MSG_MAGIC || msgbufp->msg_ptr != cp) { >+ msg_size = (char *)msgbufp - cp; >+ if (msgbufp->msg_magic != MSG_MAGIC || msgbufp->msg_ptr != cp || >+ msgbufp->msg_size != msg_size || msgbufp->msg_bufx >= msg_size || >+ msgbufp->msg_bufr >= msg_size) { > bzero(cp, size); > msgbufp->msg_magic = MSG_MAGIC; >- msgbufp->msg_size = (char *)msgbufp - cp; >+ msgbufp->msg_size = msg_size; > msgbufp->msg_ptr = cp; > } > if (msgbufmapped && oldp != msgbufp)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16423">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 30112
: 16423