From b6536f9f6175b01651e6e9c18d6ac9995da87d74 Mon Sep 17 00:00:00 2001
From: trasz <trasz@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Thu, 24 May 2012 11:46:39 +0000
Subject: [PATCH] MFC r234380:

Enforce upper bound on the input buffer length.


git-svn-id: svn://svn.freebsd.org/base/stable/9@235901 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 sys/kern/kern_rctl.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sys/kern/kern_rctl.c b/sys/kern/kern_rctl.c
index ad3145686..cef29fbe5 100644
--- a/sys/kern/kern_rctl.c
+++ b/sys/kern/kern_rctl.c
@@ -73,6 +73,7 @@ FEATURE(rctl, "Resource Limits");
 
 /* Default buffer size for rctl_get_rules(2). */
 #define	RCTL_DEFAULT_BUFSIZE	4096
+#define	RCTL_MAX_INBUFLEN	4096
 #define	RCTL_LOG_BUFSIZE	128
 
 /*
@@ -1191,6 +1192,8 @@ rctl_read_inbuf(char **inputstr, const char *inbufp, size_t inbuflen)
 
 	if (inbuflen <= 0)
 		return (EINVAL);
+	if (inbuflen > RCTL_MAX_INBUFLEN)
+		return (E2BIG);
 
 	str = malloc(inbuflen + 1, M_RCTL, M_WAITOK);
 	error = copyinstr(inbufp, str, inbuflen, NULL);
-- 
2.45.0