diff options
| author | Sean Bruno <sbruno@FreeBSD.org> | 2016-04-20 15:31:03 +0000 |
|---|---|---|
| committer | Sean Bruno <sbruno@FreeBSD.org> | 2016-04-20 15:31:03 +0000 |
| commit | 2f7a2b9d79d4312d78b4efdc358e738e0d9907b0 (patch) | |
| tree | 503fcf5f4bc9eb5d9efce71a567aad9f916059a6 /sys/nlm | |
| parent | d478c9fe53d274b3b8700f289b3f7450fe80fe73 (diff) | |
| download | src-2f7a2b9d79d4312d78b4efdc358e738e0d9907b0.tar.gz src-2f7a2b9d79d4312d78b4efdc358e738e0d9907b0.zip | |
Avoid a possible heap overflow in our nlm code by limiting the number
of service to the arbitrary value of 256. Log an appropriate message
that indicates the hard limit.
PR: 208808
Submitted by: cturt@hardenedbsd.org
Reviewed by: dfr
Obtained from: HardenedBSD
MFC after: 2 weeks
Notes
Notes:
svn path=/head/; revision=298351
Diffstat (limited to 'sys/nlm')
| -rw-r--r-- | sys/nlm/nlm_prot_impl.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/sys/nlm/nlm_prot_impl.c b/sys/nlm/nlm_prot_impl.c index 5f202066ab70..28a618a4ad19 100644 --- a/sys/nlm/nlm_prot_impl.c +++ b/sys/nlm/nlm_prot_impl.c @@ -1439,6 +1439,12 @@ nlm_register_services(SVCPOOL *pool, int addr_count, char **addrs) return (EINVAL); } + if (addr_count < 0 || addr_count > 256 ) { + NLM_ERR("NLM: too many service addresses (%d) given, " + "max 256 - can't start server\n", addr_count); + return (EINVAL); + } + xprts = malloc(addr_count * sizeof(SVCXPRT *), M_NLM, M_WAITOK|M_ZERO); for (i = 0; i < version_count; i++) { for (j = 0; j < addr_count; j++) { |