From 12bc3e29378fb83819a842a5fddaedd2ad5f45a2 Mon Sep 17 00:00:00 2001
From: Ilja van Sprundel <ivansprundel@ioactive.com>
Date: Thu, 3 Oct 2019 15:09:31 +0200
Subject: [PATCH] prevent integer overflow

This change adds individual bounds checks for namelen and prefixlen in order to prevent integer overflow (which could cause memory corruption).
---
 minix/lib/libsys/rmib.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/minix/lib/libsys/rmib.c b/minix/lib/libsys/rmib.c
index e4b686389..82084de60 100644
--- a/minix/lib/libsys/rmib.c
+++ b/minix/lib/libsys/rmib.c
@@ -711,7 +711,9 @@ rmib_call(const message * m_in)
 	 */
 	/* A zero name length is valid and should always yield EISDIR. */
 	namelen = m_in->m_mib_lsys_call.name_len;
-	if (prefixlen + namelen > __arraycount(name))
+	if (namelen > __arraycount(name) || 
+	    prefixlen > __arraycount(name) || 
+	    prefixlen + namelen > __arraycount(name))
 		return EINVAL;
 
 	if (namelen > 0) {