Module Name: src
Committed By: maxv
Date: Thu Jul 10 19:12:07 UTC 2014
Modified Files:
src/sys/kern: sys_module.c
Log Message:
Fix a user-controlled memory allocation. kmem_alloc(0) will panic the system.
ok christos@
To generate a diff of this commit:
cvs rdiff -u -r1.14 -r1.15 src/sys/kern/sys_module.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/sys_module.c
diff -u src/sys/kern/sys_module.c:1.14 src/sys/kern/sys_module.c:1.15
--- src/sys/kern/sys_module.c:1.14 Tue Aug 7 01:19:05 2012
+++ src/sys/kern/sys_module.c Thu Jul 10 19:12:07 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: sys_module.c,v 1.14 2012/08/07 01:19:05 jnemeth Exp $ */
+/* $NetBSD: sys_module.c,v 1.15 2014/07/10 19:12:07 maxv Exp $ */
/*-
* Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -31,7 +31,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sys_module.c,v 1.14 2012/08/07 01:19:05 jnemeth Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sys_module.c,v 1.15 2014/07/10 19:12:07 maxv Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -46,6 +46,11 @@ __KERNEL_RCSID(0, "$NetBSD: sys_module.c
#include <opt_modular.h>
+/*
+ * Arbitrary limit to avoid DoS for excessive memory allocation.
+ */
+#define MAXPROPSLEN 4096
+
static int
handle_modctl_load(modctl_load_t *ml)
{
@@ -67,7 +72,12 @@ handle_modctl_load(modctl_load_t *ml)
goto out2;
if (ml->ml_props != NULL) {
+ if (ml->ml_propslen > MAXPROPSLEN) {
+ error = ENOMEM;
+ goto out2;
+ }
propslen = ml->ml_propslen + 1;
+
props = (char *)kmem_alloc(propslen, KM_SLEEP);
if (props == NULL) {
error = ENOMEM;
