author: Colin Percival <cperciva@FreeBSD.org> 2009-03-23 00:00:50 +0000
committer: Colin Percival <cperciva@FreeBSD.org> 2009-03-23 00:00:50 +0000
commit: cff0c03ef7b93d6ab09a8ce2ab009348e5c7aecd (patch)
tree: f159f6602b2eba48b26cd6dbeb6057e182702320
parent: bb602bfc7c7d3bf85832427c2e5f1d836d318194 (diff)
4 files changed, 16 insertions, 5 deletions
diff --git a/UPDATING b/UPDATING
index cc0b7d4b62af..85cac64c0ef1 100644
--- a/UPDATING
+++ b/UPDATING
@@ -8,6 +8,12 @@ Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running
 portupgrade.
 
+20090323:	p11	FreeBSD-SA-09:06.ktimer, FreeBSD-EN-09:01.kenv
+	Correctly sanity-check timer IDs. [SA-09:06]
+
+	Limit the size of malloced buffer when dumping environment
+	variables. [EN-09:01]
+
 20090216:	p10	FreeBSD-SA-09:05.telnetd
 	Correctly scrub telnetd's environment.
 
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 3d224a3fee5b..fa8190b1dec8 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="7.0"
-BRANCH="RELEASE-p10"
+BRANCH="RELEASE-p11"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi
diff --git a/sys/kern/kern_environment.c b/sys/kern/kern_environment.c
index 9737f355fb69..d093067361d1 100644
--- a/sys/kern/kern_environment.c
+++ b/sys/kern/kern_environment.c
@@ -87,7 +87,7 @@ kenv(td, uap)
 	} */ *uap;
 {
 	char *name, *value, *buffer = NULL;
-	size_t len, done, needed;
+	size_t len, done, needed, buflen;
 	int error, i;
 
 	KASSERT(dynamic_kenv, ("kenv: dynamic_kenv = 0"));
@@ -100,13 +100,17 @@ kenv(td, uap)
 			return (error);
 #endif
 		done = needed = 0;
+		buflen = uap->len;
+		if (buflen > KENV_SIZE * (KENV_MNAMELEN + KENV_MVALLEN + 2))
+			buflen = KENV_SIZE * (KENV_MNAMELEN +
+			    KENV_MVALLEN + 2);
 		if (uap->len > 0 && uap->value != NULL)
-			buffer = malloc(uap->len, M_TEMP, M_WAITOK|M_ZERO);
+			buffer = malloc(buflen, M_TEMP, M_WAITOK|M_ZERO);
 		mtx_lock(&kenv_lock);
 		for (i = 0; kenvp[i] != NULL; i++) {
 			len = strlen(kenvp[i]) + 1;
 			needed += len;
-			len = min(len, uap->len - done);
+			len = min(len, buflen - done);
 			/*
 			 * If called with a NULL or insufficiently large
 			 * buffer, just keep computing the required size.
diff --git a/sys/kern/kern_time.c b/sys/kern/kern_time.c
index e220cd6e5a4a..2aa2e9972c51 100644
--- a/sys/kern/kern_time.c
+++ b/sys/kern/kern_time.c
@@ -1068,7 +1068,8 @@ itimer_find(struct proc *p, int timerid)
 	struct itimer *it;
 
 	PROC_LOCK_ASSERT(p, MA_OWNED);
-	if ((p->p_itimers == NULL) || (timerid >= TIMER_MAX) ||
+	if ((p->p_itimers == NULL) ||
+	    (timerid < 0) || (timerid >= TIMER_MAX) ||
 	    (it = p->p_itimers->its_timers[timerid]) == NULL) {
 		return (NULL);
 	}
author	Colin Percival <cperciva@FreeBSD.org>	2009-03-23 00:00:50 +0000
committer	Colin Percival <cperciva@FreeBSD.org>	2009-03-23 00:00:50 +0000
commit	cff0c03ef7b93d6ab09a8ce2ab009348e5c7aecd (patch)
tree	f159f6602b2eba48b26cd6dbeb6057e182702320
parent	bb602bfc7c7d3bf85832427c2e5f1d836d318194 (diff)