From d104a1a89acda043a53747a9556f61b8e290eecf Mon Sep 17 00:00:00 2001
From: itojun <itojun@NetBSD.org>
Date: Wed, 1 Oct 2003 21:45:14 +0000
Subject: [PATCH] make debug_sysctl() sysctl MIB check more strict. from smak.
 attack similar to NetBSD-SA2003-014 can be mounted due to this flaw.

---
 sys/kern/kern_sysctl.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c
index dfd3898b00ee..22e467d83d21 100644
--- a/sys/kern/kern_sysctl.c
+++ b/sys/kern/kern_sysctl.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: kern_sysctl.c,v 1.146 2003/09/28 13:24:48 dsl Exp $	*/
+/*	$NetBSD: kern_sysctl.c,v 1.147 2003/10/01 21:45:14 itojun Exp $	*/
 
 /*-
  * Copyright (c) 1982, 1986, 1989, 1993
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_sysctl.c,v 1.146 2003/09/28 13:24:48 dsl Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_sysctl.c,v 1.147 2003/10/01 21:45:14 itojun Exp $");
 
 #include "opt_ddb.h"
 #include "opt_insecure.h"
@@ -782,7 +782,7 @@ debug_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp,
 	/* all sysctl names at this level are name and field */
 	if (namelen != 2)
 		return (ENOTDIR);		/* overloaded */
-	if (name[0] >= CTL_DEBUG_MAXID)
+	if (name[0] < 0 || name[0] >= CTL_DEBUG_MAXID)
 		return (EOPNOTSUPP);
 	cdp = debugvars[name[0]];
 	if (cdp->debugname == 0)