Module Name: src
Committed By: snj
Date: Wed Aug 9 06:32:22 UTC 2017
Modified Files:
src/sys/kern [netbsd-7-1]: kern_malloc.c
Log Message:
Pull up following revision(s) (requested by martin in ticket #1461):
sys/kern/kern_malloc.c: revision 1.146
Avoid integer overflow in kern_malloc(). Reported by Ilja Van Sprundel.
To generate a diff of this commit:
cvs rdiff -u -r1.143.2.1 -r1.143.2.1.6.1 src/sys/kern/kern_malloc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/kern_malloc.c
diff -u src/sys/kern/kern_malloc.c:1.143.2.1 src/sys/kern/kern_malloc.c:1.143.2.1.6.1
--- src/sys/kern/kern_malloc.c:1.143.2.1 Wed Mar 25 16:54:37 2015
+++ src/sys/kern/kern_malloc.c Wed Aug 9 06:32:22 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_malloc.c,v 1.143.2.1 2015/03/25 16:54:37 snj Exp $ */
+/* $NetBSD: kern_malloc.c,v 1.143.2.1.6.1 2017/08/09 06:32:22 snj Exp $ */
/*
* Copyright (c) 1987, 1991, 1993
@@ -70,7 +70,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.143.2.1 2015/03/25 16:54:37 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.143.2.1.6.1 2017/08/09 06:32:22 snj Exp $");
#include <sys/param.h>
#include <sys/malloc.h>
@@ -105,7 +105,10 @@ kern_malloc(unsigned long size, int flag
void *p;
if (size >= PAGE_SIZE) {
- allocsize = PAGE_SIZE + size; /* for page alignment */
+ if (size > (ULONG_MAX-PAGE_SIZE))
+ allocsize = ULONG_MAX; /* this will fail later */
+ else
+ allocsize = PAGE_SIZE + size; /* for page alignment */
hdroffset = PAGE_SIZE - sizeof(struct malloc_header);
} else {
allocsize = sizeof(struct malloc_header) + size;
