Module Name: src Committed By: snj Date: Wed Aug 9 06:32:22 UTC 2017
Modified Files: src/sys/kern [netbsd-7-1]: kern_malloc.c Log Message: Pull up following revision(s) (requested by martin in ticket #1461): sys/kern/kern_malloc.c: revision 1.146 Avoid integer overflow in kern_malloc(). Reported by Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.143.2.1 -r1.143.2.1.6.1 src/sys/kern/kern_malloc.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/kern/kern_malloc.c diff -u src/sys/kern/kern_malloc.c:1.143.2.1 src/sys/kern/kern_malloc.c:1.143.2.1.6.1 --- src/sys/kern/kern_malloc.c:1.143.2.1 Wed Mar 25 16:54:37 2015 +++ src/sys/kern/kern_malloc.c Wed Aug 9 06:32:22 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_malloc.c,v 1.143.2.1 2015/03/25 16:54:37 snj Exp $ */ +/* $NetBSD: kern_malloc.c,v 1.143.2.1.6.1 2017/08/09 06:32:22 snj Exp $ */ /* * Copyright (c) 1987, 1991, 1993 @@ -70,7 +70,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.143.2.1 2015/03/25 16:54:37 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.143.2.1.6.1 2017/08/09 06:32:22 snj Exp $"); #include <sys/param.h> #include <sys/malloc.h> @@ -105,7 +105,10 @@ kern_malloc(unsigned long size, int flag void *p; if (size >= PAGE_SIZE) { - allocsize = PAGE_SIZE + size; /* for page alignment */ + if (size > (ULONG_MAX-PAGE_SIZE)) + allocsize = ULONG_MAX; /* this will fail later */ + else + allocsize = PAGE_SIZE + size; /* for page alignment */ hdroffset = PAGE_SIZE - sizeof(struct malloc_header); } else { allocsize = sizeof(struct malloc_header) + size;