From cc26e2da8f2d3e67dd34c414316adf4e73d30016 Mon Sep 17 00:00:00 2001 From: elad Date: Thu, 30 Nov 2006 01:42:21 +0000 Subject: [PATCH] Make sure that memory freed as M_VERIEXEC was allocated with that type. Pointed out by Jason Thorpe, thanks! --- sys/kern/kern_verifiedexec.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/sys/kern/kern_verifiedexec.c b/sys/kern/kern_verifiedexec.c index 81d4eaf532d4..52e679d49cd2 100644 --- a/sys/kern/kern_verifiedexec.c +++ b/sys/kern/kern_verifiedexec.c @@ -1,4 +1,4 @@ -/* $NetBSD: kern_verifiedexec.c,v 1.75 2006/11/30 01:09:47 elad Exp $ */ +/* $NetBSD: kern_verifiedexec.c,v 1.76 2006/11/30 01:42:21 elad Exp $ */ /*- * Copyright 2005 Elad Efrat @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: kern_verifiedexec.c,v 1.75 2006/11/30 01:09:47 elad Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_verifiedexec.c,v 1.76 2006/11/30 01:42:21 elad Exp $"); #include "opt_veriexec.h" @@ -987,12 +987,19 @@ veriexec_file_add(struct lwp *l, prop_dictionary_t dict) goto out; } - vfe->fp = prop_data_data(prop_dictionary_get(dict, "fp")); - if (vfe->fp == NULL) { + if (prop_data_size(prop_dictionary_get(dict, "fp")) != + vfe->ops->hash_len) { free(vfe, M_VERIEXEC); + log(LOG_ERR, "Veriexec: Bad fingerprint length for `%s'.\n", + file); + error = EINVAL; goto out; } + vfe->fp = malloc(vfe->ops->hash_len, M_VERIEXEC, M_WAITOK); + memcpy(vfe->fp, prop_data_data_nocopy(prop_dictionary_get(dict, "fp")), + vfe->ops->hash_len); + /* * See if we already have an entry for this file. If we do, then * let the user know and silently pretend to succeed.