commit 2cbe44e441726abf568fbc4ca3cb5ab157ae7684
author Roland McGrath <roland@redhat.com> Thu May 26 23:21:09 2005 +0000
committer Roland McGrath <roland@redhat.com> Thu May 26 23:21:09 2005 +0000
tree 142cadba47eecb1e9f7177608895a81cea4557a0
parent 682291ec61d4b9e2397cd739679139e4c17fb0d2

2005-05-26  Roland McGrath  <roland@redhat.com>

	* system.c (sys_sysctl): Check for errors accessing user pointers.
	Use malloc instead of alloca in case size is insane.

system.c

diff --git a/system.c b/system.c
index 49e95b5..82c5499 100644
--- a/system.c
+++ b/system.c
@@ -1822,10 +1822,20 @@
 {
 	struct __sysctl_args info;
 	int *name;
-	umove (tcp, tcp->u_arg[0], &info);
+	if (umove (tcp, tcp->u_arg[0], &info) < 0)
+		return printargs(tcp);
 
-	name = alloca (sizeof (int) * info.nlen);
-	umoven(tcp, (size_t) info.name, sizeof (int) * info.nlen, (char *) name);
+	name = malloc (sizeof (int) * info.nlen);
+	if (name == NULL ||
+	    umoven(tcp, (unsigned long) info.name,
+		   sizeof (int) * info.nlen, (char *) name) < 0) {
+		if (name != NULL)
+			free(name);
+		tprintf("{%p, %d, %p, %p, %p, %Zu}",
+			info.name, info.nlen, info.oldval, info.oldlenp,
+			info.newval, info.newlen);
+		return 0;
+	}
 
 	if (entering(tcp)) {
 		int cnt = 0;
@@ -1950,6 +1960,8 @@
 		}
 		tprintf("}");
 	}
+
+	free(name);
 	return 0;
 }
 #else