On 08/28/13 20:57, Matthew Dempsky wrote:
> On Wed, Aug 28, 2013 at 5:54 AM, Maxime Villard <m...@m00nbsd.net> wrote:
>> + /* Ensure interp is a valid, NUL-terminated string */
>> + for (n = 0; n < pp->p_filesz; n++) {
>> + if (interp[n] == '\0')
>> + break;
>> + }
>> + if (n != pp->p_filesz - 1) {
>> + error = ENOEXEC;
>> goto bad;
>> }
>
> A more concise test would be:
>
> if (strnlen(interp, pp->p_filesz) != pp->p_filesz - 1) {
> error = ENOEXEC;
> goto bad;
> }
>
Hum you're right, it's better that way
Index: exec_elf.c
===================================================================
RCS file: /cvs/src/sys/kern/exec_elf.c,v
retrieving revision 1.93
diff -u -p -r1.93 exec_elf.c
--- exec_elf.c 4 Jul 2013 17:37:05 -0000 1.93
+++ exec_elf.c 28 Aug 2013 21:14:22 -0000
@@ -552,11 +552,16 @@ ELFNAME2(exec,makecmds)(struct proc *p,
for (i = 0, pp = ph; i < eh->e_phnum; i++, pp++) {
if (pp->p_type == PT_INTERP && !interp) {
- if (pp->p_filesz >= MAXPATHLEN)
+ if (pp->p_filesz < 2 || pp->p_filesz >= MAXPATHLEN)
goto bad;
interp = pool_get(&namei_pool, PR_WAITOK);
if ((error = ELFNAME(read_from)(p, epp->ep_vp,
pp->p_offset, interp, pp->p_filesz)) != 0) {
+ goto bad;
+ }
+ /* Ensure interp is NUL-terminated and of the expected
length */
+ if (strnlen(interp, pp->p_filesz) != pp->p_filesz - 1) {
+ error = ENOEXEC;
goto bad;
}
} else if (pp->p_type == PT_LOAD) {
It no longer looks like my patch...
