Module Name: src Committed By: uebayasi Date: Sat Apr 19 22:59:08 UTC 2014
Modified Files: src/sys/kern: kern_exec.c Log Message: copyinargs: Plug theoretical memory leak when fakearg is too long. Pointed out & reviewed by Maxime Villard. To generate a diff of this commit: cvs rdiff -u -r1.403 -r1.404 src/sys/kern/kern_exec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/kern/kern_exec.c diff -u src/sys/kern/kern_exec.c:1.403 src/sys/kern/kern_exec.c:1.404 --- src/sys/kern/kern_exec.c:1.403 Fri Apr 18 11:44:31 2014 +++ src/sys/kern/kern_exec.c Sat Apr 19 22:59:08 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_exec.c,v 1.403 2014/04/18 11:44:31 maxv Exp $ */ +/* $NetBSD: kern_exec.c,v 1.404 2014/04/19 22:59:08 uebayasi Exp $ */ /*- * Copyright (c) 2008 The NetBSD Foundation, Inc. @@ -59,7 +59,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.403 2014/04/18 11:44:31 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.404 2014/04/19 22:59:08 uebayasi Exp $"); #include "opt_exec.h" #include "opt_execfmt.h" @@ -1468,8 +1468,16 @@ copyinargs(struct execve_data * restrict /* Count NUL into len. */ if (len < maxlen) len++; - else + else { + while (tmpfap->fa_arg != NULL) { + kmem_free(tmpfap->fa_arg, + tmpfap->fa_len); + tmpfap++; + } + kmem_free(epp->ep_fa, epp->ep_fa_len); + epp->ep_flags &= ~EXEC_HASARGL; return E2BIG; + } ktrexecarg(tmpfap->fa_arg, len - 1); dp += len;