mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-24 11:29:10 +00:00
Import a vendor fix for a list overrun.
This has been considered as a security hole on some specialized ml, but currently the secteam@ doesn't consider that way. Reviewed by: emaste, des Sponsored by: Sandvine Incorporated MFC after: 3 days
This commit is contained in:
parent
b61d9eabb4
commit
dcc3a33188
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=196916
@ -485,7 +485,7 @@ extern pthread_mutex_t __gdtoa_locks[2];
|
||||
_pthread_mutex_unlock(&__gdtoa_locks[n]); \
|
||||
} while(0)
|
||||
|
||||
#define Kmax 15
|
||||
#define Kmax 9
|
||||
|
||||
struct
|
||||
Bigint {
|
||||
|
@ -55,7 +55,9 @@ Balloc
|
||||
#endif
|
||||
|
||||
ACQUIRE_DTOA_LOCK(0);
|
||||
if ( (rv = freelist[k]) !=0) {
|
||||
/* The k > Kmax case does not need ACQUIRE_DTOA_LOCK(0), */
|
||||
/* but this case seems very unlikely. */
|
||||
if (k <= Kmax && (rv = freelist[k]) !=0) {
|
||||
freelist[k] = rv->next;
|
||||
}
|
||||
else {
|
||||
@ -65,7 +67,7 @@ Balloc
|
||||
#else
|
||||
len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1)
|
||||
/sizeof(double);
|
||||
if (pmem_next - private_mem + len <= PRIVATE_mem) {
|
||||
if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) {
|
||||
rv = (Bigint*)pmem_next;
|
||||
pmem_next += len;
|
||||
}
|
||||
@ -89,10 +91,14 @@ Bfree
|
||||
#endif
|
||||
{
|
||||
if (v) {
|
||||
ACQUIRE_DTOA_LOCK(0);
|
||||
v->next = freelist[v->k];
|
||||
freelist[v->k] = v;
|
||||
FREE_DTOA_LOCK(0);
|
||||
if (v->k > Kmax)
|
||||
free((void*)v);
|
||||
else {
|
||||
ACQUIRE_DTOA_LOCK(0);
|
||||
v->next = freelist[v->k];
|
||||
freelist[v->k] = v;
|
||||
FREE_DTOA_LOCK(0);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user