1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-25 11:37:56 +00:00

Import a vendor fix for a list overrun.

This has been considered as a security hole on some specialized ml,
but currently the secteam@ doesn't consider that way.

Reviewed by:	emaste, des
Sponsored by:	Sandvine Incorporated
MFC after:	3 days
This commit is contained in:
Attilio Rao 2009-09-07 09:30:37 +00:00
parent b61d9eabb4
commit dcc3a33188
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=196916
2 changed files with 13 additions and 7 deletions

View File

@ -485,7 +485,7 @@ extern pthread_mutex_t __gdtoa_locks[2];
_pthread_mutex_unlock(&__gdtoa_locks[n]); \ _pthread_mutex_unlock(&__gdtoa_locks[n]); \
} while(0) } while(0)
#define Kmax 15 #define Kmax 9
struct struct
Bigint { Bigint {

View File

@ -55,7 +55,9 @@ Balloc
#endif #endif
ACQUIRE_DTOA_LOCK(0); ACQUIRE_DTOA_LOCK(0);
if ( (rv = freelist[k]) !=0) { /* The k > Kmax case does not need ACQUIRE_DTOA_LOCK(0), */
/* but this case seems very unlikely. */
if (k <= Kmax && (rv = freelist[k]) !=0) {
freelist[k] = rv->next; freelist[k] = rv->next;
} }
else { else {
@ -65,7 +67,7 @@ Balloc
#else #else
len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1) len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1)
/sizeof(double); /sizeof(double);
if (pmem_next - private_mem + len <= PRIVATE_mem) { if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) {
rv = (Bigint*)pmem_next; rv = (Bigint*)pmem_next;
pmem_next += len; pmem_next += len;
} }
@ -89,10 +91,14 @@ Bfree
#endif #endif
{ {
if (v) { if (v) {
ACQUIRE_DTOA_LOCK(0); if (v->k > Kmax)
v->next = freelist[v->k]; free((void*)v);
freelist[v->k] = v; else {
FREE_DTOA_LOCK(0); ACQUIRE_DTOA_LOCK(0);
v->next = freelist[v->k];
freelist[v->k] = v;
FREE_DTOA_LOCK(0);
}
} }
} }