20.02.2019 4:22, Mark Johnston wrote: > Author: markj > Date: Tue Feb 19 21:22:22 2019 > New Revision: 344305 > URL: https://svnweb.freebsd.org/changeset/base/344305 > > Log: > Impose a limit on the number of GEOM_CTL arguments. > > Otherwise a privileged user can trigger a memory allocation of > unbounded size, or an integer overflow in the subsequent > geom_alloc_copyin() call, leading to out-of-bounds accesses. > > Hard-code a large limit to circumvent this problem. > > admbug: 854 > Reported by: Anonymous of the Shellphish Grill Team > Reviewed by: ae > MFC after: 1 week > Sponsored by: The FreeBSD Foundation > Differential Revision: https://reviews.freebsd.org/D19251 > > Modified: > head/sys/geom/geom_ctl.c > > Modified: head/sys/geom/geom_ctl.c > ============================================================================== > --- head/sys/geom/geom_ctl.c Tue Feb 19 21:20:50 2019 (r344304) > +++ head/sys/geom/geom_ctl.c Tue Feb 19 21:22:22 2019 (r344305) > @@ -139,6 +139,12 @@ gctl_copyin(struct gctl_req *req) > char *p; > u_int i; > > + if (req->narg > 2048) { > + gctl_error(req, "too many arguments"); > + req->arg = NULL; > + return; > + } > +
Could you replace magic constant 2048 with #define symbol, please? Something like GEOM_ARG_MAX in sys/sys/limits.h or similar. _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
