Module Name: src
Committed By: uebayasi
Date: Sat Apr 19 22:59:08 UTC 2014
Modified Files:
src/sys/kern: kern_exec.c
Log Message:
copyinargs: Plug theoretical memory leak when fakearg is too long.
Pointed out & reviewed by Maxime Villard.
To generate a diff of this commit:
cvs rdiff -u -r1.403 -r1.404 src/sys/kern/kern_exec.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/kern_exec.c
diff -u src/sys/kern/kern_exec.c:1.403 src/sys/kern/kern_exec.c:1.404
--- src/sys/kern/kern_exec.c:1.403 Fri Apr 18 11:44:31 2014
+++ src/sys/kern/kern_exec.c Sat Apr 19 22:59:08 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_exec.c,v 1.403 2014/04/18 11:44:31 maxv Exp $ */
+/* $NetBSD: kern_exec.c,v 1.404 2014/04/19 22:59:08 uebayasi Exp $ */
/*-
* Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -59,7 +59,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.403 2014/04/18 11:44:31 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.404 2014/04/19 22:59:08 uebayasi Exp $");
#include "opt_exec.h"
#include "opt_execfmt.h"
@@ -1468,8 +1468,16 @@ copyinargs(struct execve_data * restrict
/* Count NUL into len. */
if (len < maxlen)
len++;
- else
+ else {
+ while (tmpfap->fa_arg != NULL) {
+ kmem_free(tmpfap->fa_arg,
+ tmpfap->fa_len);
+ tmpfap++;
+ }
+ kmem_free(epp->ep_fa, epp->ep_fa_len);
+ epp->ep_flags &= ~EXEC_HASARGL;
return E2BIG;
+ }
ktrexecarg(tmpfap->fa_arg, len - 1);
dp += len;
