Module Name: src
Committed By: martin
Date: Fri Jul 28 12:28:48 UTC 2017
Modified Files:
src/sys/kern: kern_malloc.c
Log Message:
Avoid integer overflow in kern_malloc(). Reported by Ilja Van Sprundel.
XXX Time to kill malloc() completely!
To generate a diff of this commit:
cvs rdiff -u -r1.145 -r1.146 src/sys/kern/kern_malloc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/kern_malloc.c
diff -u src/sys/kern/kern_malloc.c:1.145 src/sys/kern/kern_malloc.c:1.146
--- src/sys/kern/kern_malloc.c:1.145 Fri Feb 6 18:21:29 2015
+++ src/sys/kern/kern_malloc.c Fri Jul 28 12:28:48 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_malloc.c,v 1.145 2015/02/06 18:21:29 maxv Exp $ */
+/* $NetBSD: kern_malloc.c,v 1.146 2017/07/28 12:28:48 martin Exp $ */
/*
* Copyright (c) 1987, 1991, 1993
@@ -70,7 +70,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.145 2015/02/06 18:21:29 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.146 2017/07/28 12:28:48 martin Exp $");
#include <sys/param.h>
#include <sys/malloc.h>
@@ -105,7 +105,10 @@ kern_malloc(unsigned long size, int flag
void *p;
if (size >= PAGE_SIZE) {
- allocsize = PAGE_SIZE + size; /* for page alignment */
+ if (size > (ULONG_MAX-PAGE_SIZE))
+ allocsize = ULONG_MAX; /* this will fail later */
+ else
+ allocsize = PAGE_SIZE + size; /* for page alignment */
hdroffset = PAGE_SIZE - sizeof(struct malloc_header);
} else {
allocsize = sizeof(struct malloc_header) + size;
