compat/linprocfs: Fix auxv sbuf leak
linprocfs_doauxv() allocates an automatic sbuf before validating whether the requested read can be satisfied. When the computed auxv read length exceeds IOSIZE_MAX, or when the buffer length is too big, the function returns early without releasing the sbuf. Route these early exits through a shared cleanup path so the sbuf is always deleted after sbuf_new_auto() succeeds. Signed-off-by: Shunchao Hu <ankohuu@gmail.com> Reviewed by: des, spmzt, zlei, aokblast MFC after: 2 weeks Pull Request: https://github.com/freebsd/freebsd-src/pull/2118
This commit is contained in:
committed by
ShengYi Hung
parent
c913dce86e
commit
16aa49f6d1
@@ -2026,23 +2026,26 @@ linprocfs_doauxv(PFS_FILL_ARGS)
|
||||
if (asb == NULL)
|
||||
return (ENOMEM);
|
||||
error = proc_getauxv(td, p, asb);
|
||||
if (error == 0)
|
||||
error = sbuf_finish(asb);
|
||||
if (error != 0)
|
||||
goto out;
|
||||
error = sbuf_finish(asb);
|
||||
if (error != 0)
|
||||
goto out;
|
||||
|
||||
resid = sbuf_len(asb) - uio->uio_offset;
|
||||
if (resid > uio->uio_resid)
|
||||
buflen = uio->uio_resid;
|
||||
else
|
||||
buflen = resid;
|
||||
if (buflen > IOSIZE_MAX)
|
||||
return (EINVAL);
|
||||
if (buflen > IOSIZE_MAX) {
|
||||
error = EINVAL;
|
||||
goto out;
|
||||
}
|
||||
if (buflen > maxphys)
|
||||
buflen = maxphys;
|
||||
if (resid <= 0)
|
||||
return (0);
|
||||
|
||||
if (error == 0)
|
||||
if (resid > 0)
|
||||
error = uiomove(sbuf_data(asb) + uio->uio_offset, buflen, uio);
|
||||
out:
|
||||
sbuf_delete(asb);
|
||||
return (error);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user