From c83104101c5941668491e30eab98bde4ad69a638 Mon Sep 17 00:00:00 2001 From: Ilja van Sprundel Date: Thu, 3 Oct 2019 15:26:53 +0200 Subject: [PATCH] validated returned length value Make sure the service isn't lying about the amount of bytes it wrote into vaddr. This prevents possible out of bound reads and writes by callers that rely on and trust the length value returned by the server. --- minix/lib/libsys/ds.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/minix/lib/libsys/ds.c b/minix/lib/libsys/ds.c index 7f665e9b0..223f08302 100644 --- a/minix/lib/libsys/ds.c +++ b/minix/lib/libsys/ds.c @@ -141,6 +141,9 @@ static int ds_retrieve_raw(const char *ds_name, char *vaddr, size_t *length, m.m_ds_req.val_len = *length; m.m_ds_req.flags = flags; r = do_invoke_ds(&m, DS_RETRIEVE, ds_name); + if (m.m_ds_reply.val_len > *length) { + return EINVAL; + } *length = m.m_ds_reply.val_len; cpf_revoke(gid);