aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMaxim Konovalov <maxim@FreeBSD.org>2005-04-08 11:59:20 +0000
committerMaxim Konovalov <maxim@FreeBSD.org>2005-04-08 11:59:20 +0000
commita39fbcf41c46859057dceea9a479d08a733dbebd (patch)
tree85b9e3f71929280798fcb17ce135d0684620fafe
parentf7e41fe05b63955dae50c7f789e363576b0570af (diff)
downloadsrc-a39fbcf41c46859057dceea9a479d08a733dbebd.tar.gz
src-a39fbcf41c46859057dceea9a479d08a733dbebd.zip
o Merge SA-04:17.procfs, SA-05:01.telnet and SA-05:02.sendfile.
Approved by: so (nectar, cperciva) Thanks for testing to: Valentin Nechayev
Notes
Notes: svn path=/releng/4.9/; revision=144797
-rw-r--r--UPDATING10
-rw-r--r--crypto/heimdal/appl/telnet/telnet/telnet.c30
-rw-r--r--crypto/kerberosIV/appl/telnet/telnet/telnet.c30
-rw-r--r--crypto/telnet/telnet/telnet.c30
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/miscfs/procfs/procfs_status.c17
-rw-r--r--sys/ufs/ffs/ffs_inode.c1
-rw-r--r--usr.bin/telnet/telnet.c30
8 files changed, 124 insertions, 26 deletions
diff --git a/UPDATING b/UPDATING
index 4d9df8ce558b..9149c3000c63 100644
--- a/UPDATING
+++ b/UPDATING
@@ -17,6 +17,16 @@ minimal number of processes, if possible, for that patch. For those
updates that don't have an advisory, or to be safe, you can do a full
build and install as described in the COMMON ITEMS section.
+20050408: p14 FreeBSD-SA-04:17.procfs, FreeBSD-SA-05:01.telnet,
+ FreeBSD-SA-05:02.sendfile
+ Fix a tainted pointer dereference in procfs(5) and linprocfs(5)
+ which could allow a local attacker to panic a system and/or read
+ from kernel memory.
+
+ Correct buffer overflows in telnet(1).
+
+ Correct kernel memory disclosure bug in sendfile(2).
+
20041118: p13 FreeBSD-SA-04:16.fetch
Correct a buffer overflow in fetch(1) which could allow a
mallicious server to execute arbitrary code on the client.
diff --git a/crypto/heimdal/appl/telnet/telnet/telnet.c b/crypto/heimdal/appl/telnet/telnet/telnet.c
index bbc99990e201..8ea82d6494ba 100644
--- a/crypto/heimdal/appl/telnet/telnet/telnet.c
+++ b/crypto/heimdal/appl/telnet/telnet/telnet.c
@@ -1294,6 +1294,7 @@ slc_check()
unsigned char slc_reply[128];
+unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)];
unsigned char *slc_replyp;
void
@@ -1309,6 +1310,14 @@ slc_start_reply()
void
slc_add_reply(unsigned char func, unsigned char flags, cc_t value)
{
+ /* A sequence of up to 6 bytes my be written for this member of the SLC
+ * suboption list by this function. The end of negotiation command,
+ * which is written by slc_end_reply(), will require 2 additional
+ * bytes. Do not proceed unless there is sufficient space for these
+ * items.
+ */
+ if (&slc_replyp[6+2] > slc_reply_eom)
+ return;
if ((*slc_replyp++ = func) == IAC)
*slc_replyp++ = IAC;
if ((*slc_replyp++ = flags) == IAC)
@@ -1322,6 +1331,9 @@ slc_end_reply()
{
int len;
+ /* The end of negotiation command requires 2 bytes. */
+ if (&slc_replyp[2] > slc_reply_eom)
+ return;
*slc_replyp++ = IAC;
*slc_replyp++ = SE;
len = slc_replyp - slc_reply;
@@ -1415,8 +1427,8 @@ env_opt(unsigned char *buf, int len)
}
}
-#define OPT_REPLY_SIZE 256
-unsigned char *opt_reply;
+#define OPT_REPLY_SIZE (2 * SUBBUFSIZE)
+unsigned char *opt_reply = NULL;
unsigned char *opt_replyp;
unsigned char *opt_replyend;
@@ -1475,9 +1487,9 @@ env_opt_add(unsigned char *ep)
return;
}
vp = env_getvalue(ep);
- if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
- strlen((char *)ep) + 6 > opt_replyend)
- {
+ if (opt_replyp + (vp ? 2 * strlen((char *)vp) : 0) +
+ 2 * strlen((char *)ep) + 6 > opt_replyend)
+ {
int len;
void *tmp;
opt_replyend += OPT_REPLY_SIZE;
@@ -1503,6 +1515,8 @@ env_opt_add(unsigned char *ep)
*opt_replyp++ = ENV_USERVAR;
for (;;) {
while ((c = *ep++)) {
+ if (opt_replyp + (2 + 2) > opt_replyend)
+ return;
switch(c&0xff) {
case IAC:
*opt_replyp++ = IAC;
@@ -1517,6 +1531,8 @@ env_opt_add(unsigned char *ep)
*opt_replyp++ = c;
}
if ((ep = vp)) {
+ if (opt_replyp + (1 + 2 + 2) > opt_replyend)
+ return;
#ifdef OLD_ENVIRON
if (telopt_environ == TELOPT_OLD_ENVIRON)
*opt_replyp++ = old_env_value;
@@ -1547,7 +1563,9 @@ env_opt_end(int emptyok)
{
int len;
- len = opt_replyp - opt_reply + 2;
+ if (opt_replyp + 2 > opt_replyend)
+ return;
+ len = opt_replyp + 2 - opt_reply;
if (emptyok || len > 6) {
*opt_replyp++ = IAC;
*opt_replyp++ = SE;
diff --git a/crypto/kerberosIV/appl/telnet/telnet/telnet.c b/crypto/kerberosIV/appl/telnet/telnet/telnet.c
index 1df4d6ea35b2..0275357025ed 100644
--- a/crypto/kerberosIV/appl/telnet/telnet/telnet.c
+++ b/crypto/kerberosIV/appl/telnet/telnet/telnet.c
@@ -1285,6 +1285,7 @@ slc_check()
unsigned char slc_reply[128];
+unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)];
unsigned char *slc_replyp;
void
@@ -1300,6 +1301,14 @@ slc_start_reply()
void
slc_add_reply(unsigned char func, unsigned char flags, cc_t value)
{
+ /* A sequence of up to 6 bytes my be written for this member of the SLC
+ * suboption list by this function. The end of negotiation command,
+ * which is written by slc_end_reply(), will require 2 additional
+ * bytes. Do not proceed unless there is sufficient space for these
+ * items.
+ */
+ if (&slc_replyp[6+2] > slc_reply_eom)
+ return;
if ((*slc_replyp++ = func) == IAC)
*slc_replyp++ = IAC;
if ((*slc_replyp++ = flags) == IAC)
@@ -1313,6 +1322,9 @@ slc_end_reply()
{
int len;
+ /* The end of negotiation command requires 2 bytes. */
+ if (&slc_replyp[2] > slc_reply_eom)
+ return;
*slc_replyp++ = IAC;
*slc_replyp++ = SE;
len = slc_replyp - slc_reply;
@@ -1406,8 +1418,8 @@ env_opt(unsigned char *buf, int len)
}
}
-#define OPT_REPLY_SIZE 256
-unsigned char *opt_reply;
+#define OPT_REPLY_SIZE (2 * SUBBUFSIZE)
+unsigned char *opt_reply = NULL;
unsigned char *opt_replyp;
unsigned char *opt_replyend;
@@ -1460,9 +1472,9 @@ env_opt_add(unsigned char *ep)
return;
}
vp = env_getvalue(ep);
- if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
- strlen((char *)ep) + 6 > opt_replyend)
- {
+ if (opt_replyp + (vp ? 2 * strlen((char *)vp) : 0) +
+ 2 * strlen((char *)ep) + 6 > opt_replyend)
+ {
int len;
opt_replyend += OPT_REPLY_SIZE;
len = opt_replyend - opt_reply;
@@ -1486,6 +1498,8 @@ env_opt_add(unsigned char *ep)
*opt_replyp++ = ENV_USERVAR;
for (;;) {
while ((c = *ep++)) {
+ if (opt_replyp + (2 + 2) > opt_replyend)
+ return;
switch(c&0xff) {
case IAC:
*opt_replyp++ = IAC;
@@ -1500,6 +1514,8 @@ env_opt_add(unsigned char *ep)
*opt_replyp++ = c;
}
if ((ep = vp)) {
+ if (opt_replyp + (1 + 2 + 2) > opt_replyend)
+ return;
#ifdef OLD_ENVIRON
if (telopt_environ == TELOPT_OLD_ENVIRON)
*opt_replyp++ = old_env_value;
@@ -1530,7 +1546,9 @@ env_opt_end(int emptyok)
{
int len;
- len = opt_replyp - opt_reply + 2;
+ if (opt_replyp + 2 > opt_replyend)
+ return;
+ len = opt_replyp + 2 - opt_reply;
if (emptyok || len > 6) {
*opt_replyp++ = IAC;
*opt_replyp++ = SE;
diff --git a/crypto/telnet/telnet/telnet.c b/crypto/telnet/telnet/telnet.c
index 4644531376fa..c9f58ebcbe9a 100644
--- a/crypto/telnet/telnet/telnet.c
+++ b/crypto/telnet/telnet/telnet.c
@@ -1318,6 +1318,7 @@ slc_check(void)
}
unsigned char slc_reply[128];
+unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)];
unsigned char *slc_replyp;
void
@@ -1333,6 +1334,14 @@ slc_start_reply(void)
void
slc_add_reply(unsigned char func, unsigned char flags, cc_t value)
{
+ /* A sequence of up to 6 bytes my be written for this member of the SLC
+ * suboption list by this function. The end of negotiation command,
+ * which is written by slc_end_reply(), will require 2 additional
+ * bytes. Do not proceed unless there is sufficient space for these
+ * items.
+ */
+ if (&slc_replyp[6+2] > slc_reply_eom)
+ return;
if ((*slc_replyp++ = func) == IAC)
*slc_replyp++ = IAC;
if ((*slc_replyp++ = flags) == IAC)
@@ -1346,6 +1355,9 @@ slc_end_reply(void)
{
int len;
+ /* The end of negotiation command requires 2 bytes. */
+ if (&slc_replyp[2] > slc_reply_eom)
+ return;
*slc_replyp++ = IAC;
*slc_replyp++ = SE;
len = slc_replyp - slc_reply;
@@ -1463,8 +1475,8 @@ env_opt(unsigned char *buf, int len)
}
}
-#define OPT_REPLY_SIZE 256
-unsigned char *opt_reply;
+#define OPT_REPLY_SIZE (2 * SUBBUFSIZE)
+unsigned char *opt_reply = NULL;
unsigned char *opt_replyp;
unsigned char *opt_replyend;
@@ -1517,9 +1529,9 @@ env_opt_add(unsigned char *ep)
return;
}
vp = env_getvalue(ep);
- if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
- strlen((char *)ep) + 6 > opt_replyend)
- {
+ if (opt_replyp + (vp ? 2 * strlen((char *)vp) : 0) +
+ 2 * strlen((char *)ep) + 6 > opt_replyend)
+ {
int len;
opt_replyend += OPT_REPLY_SIZE;
len = opt_replyend - opt_reply;
@@ -1543,6 +1555,8 @@ env_opt_add(unsigned char *ep)
*opt_replyp++ = ENV_USERVAR;
for (;;) {
while ((c = *ep++)) {
+ if (opt_replyp + (2 + 2) > opt_replyend)
+ return;
switch(c&0xff) {
case IAC:
*opt_replyp++ = IAC;
@@ -1557,6 +1571,8 @@ env_opt_add(unsigned char *ep)
*opt_replyp++ = c;
}
if ((ep = vp)) {
+ if (opt_replyp + (1 + 2 + 2) > opt_replyend)
+ return;
#ifdef OLD_ENVIRON
if (telopt_environ == TELOPT_OLD_ENVIRON)
*opt_replyp++ = old_env_value;
@@ -1587,7 +1603,9 @@ env_opt_end(int emptyok)
{
int len;
- len = opt_replyp - opt_reply + 2;
+ if (opt_replyp + 2 > opt_replyend)
+ return;
+ len = opt_replyp + 2 - opt_reply;
if (emptyok || len > 6) {
*opt_replyp++ = IAC;
*opt_replyp++ = SE;
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 16670061961f..af4fc7f70a7f 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -36,7 +36,7 @@
TYPE="FreeBSD"
REVISION="4.9"
-BRANCH="RELEASE-p13"
+BRANCH="RELEASE-p14"
RELEASE="${REVISION}-${BRANCH}"
VERSION="${TYPE} ${RELEASE}"
diff --git a/sys/miscfs/procfs/procfs_status.c b/sys/miscfs/procfs/procfs_status.c
index 370f23a6efb2..3e8dbc72f5ed 100644
--- a/sys/miscfs/procfs/procfs_status.c
+++ b/sys/miscfs/procfs/procfs_status.c
@@ -186,6 +186,7 @@ procfs_docmdline(curp, p, pfs, uio)
char *buf, *bp;
int buflen;
struct ps_strings pstr;
+ char **ps_argvstr;
int i;
size_t bytes_left, done;
@@ -223,9 +224,22 @@ procfs_docmdline(curp, p, pfs, uio)
FREE(buf, M_TEMP);
return (error);
}
+ if (pstr.ps_nargvstr > ARG_MAX) {
+ FREE(buf, M_TEMP);
+ return (E2BIG);
+ }
+ MALLOC(ps_argvstr, char **, pstr.ps_nargvstr * sizeof(char *),
+ M_TEMP, M_WAITOK);
+ error = copyin((void *)pstr.ps_argvstr, ps_argvstr,
+ pstr.ps_nargvstr * sizeof(char *));
+ if (error) {
+ FREE(ps_argvstr, M_TEMP);
+ FREE(buf, M_TEMP);
+ return (error);
+ }
bytes_left = buflen;
for (i = 0; bytes_left && (i < pstr.ps_nargvstr); i++) {
- error = copyinstr(pstr.ps_argvstr[i], ps,
+ error = copyinstr(ps_argvstr[i], ps,
bytes_left, &done);
/* If too long or malformed, just truncate */
if (error) {
@@ -236,6 +250,7 @@ procfs_docmdline(curp, p, pfs, uio)
bytes_left -= done;
}
buflen = ps - buf;
+ FREE(ps_argvstr, M_TEMP);
}
error = uiomove_frombuf(bp, buflen, uio);
diff --git a/sys/ufs/ffs/ffs_inode.c b/sys/ufs/ffs/ffs_inode.c
index 169fde0ea97f..190f597d5f12 100644
--- a/sys/ufs/ffs/ffs_inode.c
+++ b/sys/ufs/ffs/ffs_inode.c
@@ -197,6 +197,7 @@ ffs_truncate(vp, length, flags, cred, p)
#endif
softdep_setup_freeblocks(oip, length);
vinvalbuf(ovp, 0, cred, p, 0, 0);
+ vnode_pager_setsize(vp, 0);
oip->i_flag |= IN_CHANGE | IN_UPDATE;
return (ffs_update(ovp, 0));
}
diff --git a/usr.bin/telnet/telnet.c b/usr.bin/telnet/telnet.c
index a570a8609680..c450a394d496 100644
--- a/usr.bin/telnet/telnet.c
+++ b/usr.bin/telnet/telnet.c
@@ -1193,6 +1193,7 @@ slc_check(void)
}
unsigned char slc_reply[128];
+unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)];
unsigned char *slc_replyp;
void
@@ -1208,6 +1209,14 @@ slc_start_reply(void)
void
slc_add_reply(unsigned char func, unsigned char flags, cc_t value)
{
+ /* A sequence of up to 6 bytes my be written for this member of the SLC
+ * suboption list by this function. The end of negotiation command,
+ * which is written by slc_end_reply(), will require 2 additional
+ * bytes. Do not proceed unless there is sufficient space for these
+ * items.
+ */
+ if (&slc_replyp[6+2] > slc_reply_eom)
+ return;
if ((*slc_replyp++ = func) == IAC)
*slc_replyp++ = IAC;
if ((*slc_replyp++ = flags) == IAC)
@@ -1221,6 +1230,9 @@ slc_end_reply(void)
{
int len;
+ /* The end of negotiation command requires 2 bytes. */
+ if (&slc_replyp[2] > slc_reply_eom)
+ return;
*slc_replyp++ = IAC;
*slc_replyp++ = SE;
len = slc_replyp - slc_reply;
@@ -1338,8 +1350,8 @@ env_opt(unsigned char *buf, int len)
}
}
-#define OPT_REPLY_SIZE 256
-unsigned char *opt_reply;
+#define OPT_REPLY_SIZE (2 * SUBBUFSIZE)
+unsigned char *opt_reply = NULL;
unsigned char *opt_replyp;
unsigned char *opt_replyend;
@@ -1392,9 +1404,9 @@ env_opt_add(unsigned char *ep)
return;
}
vp = env_getvalue(ep);
- if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
- strlen((char *)ep) + 6 > opt_replyend)
- {
+ if (opt_replyp + (vp ? 2 * strlen((char *)vp) : 0) +
+ 2 * strlen((char *)ep) + 6 > opt_replyend)
+ {
int len;
opt_replyend += OPT_REPLY_SIZE;
len = opt_replyend - opt_reply;
@@ -1418,6 +1430,8 @@ env_opt_add(unsigned char *ep)
*opt_replyp++ = ENV_USERVAR;
for (;;) {
while ((c = *ep++)) {
+ if (opt_replyp + (2 + 2) > opt_replyend)
+ return;
switch(c&0xff) {
case IAC:
*opt_replyp++ = IAC;
@@ -1432,6 +1446,8 @@ env_opt_add(unsigned char *ep)
*opt_replyp++ = c;
}
if ((ep = vp)) {
+ if (opt_replyp + (1 + 2 + 2) > opt_replyend)
+ return;
#ifdef OLD_ENVIRON
if (telopt_environ == TELOPT_OLD_ENVIRON)
*opt_replyp++ = old_env_value;
@@ -1462,7 +1478,9 @@ env_opt_end(int emptyok)
{
int len;
- len = opt_replyp - opt_reply + 2;
+ if (opt_replyp + 2 > opt_replyend)
+ return;
+ len = opt_replyp + 2 - opt_reply;
if (emptyok || len > 6) {
*opt_replyp++ = IAC;
*opt_replyp++ = SE;