Make sure we move forward over the buffer.
From Ilja Van Sprundel.
This commit is contained in:
parent
9a25e0f558
commit
18c4e4218d
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: ibcs2_exec_coff.c,v 1.28 2017/07/28 15:50:04 riastradh Exp $ */
|
||||
/* $NetBSD: ibcs2_exec_coff.c,v 1.29 2017/07/28 15:51:35 riastradh Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1994, 1995, 1998 Scott Bartram
|
||||
|
@ -35,7 +35,7 @@
|
|||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.28 2017/07/28 15:50:04 riastradh Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.29 2017/07/28 15:51:35 riastradh Exp $");
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
|
@ -469,7 +469,8 @@ exec_ibcs2_coff_prep_zmagic(struct lwp *l, struct exec_package *epp, struct coff
|
|||
/* path_index = slhdr->path_index * sizeof(long); */
|
||||
entry_len = slhdr->entry_len * sizeof(long);
|
||||
|
||||
if (entry_len > len ||
|
||||
if (entry_len < sizeof(struct coff_slhdr) ||
|
||||
entry_len > len ||
|
||||
strnlen(slhdr->sl_name, entry_len) == entry_len) {
|
||||
free(tbuf, M_TEMP);
|
||||
return ENOEXEC;
|
||||
|
|
Loading…
Reference in New Issue