[src/trunk]: src/sys/kern Don't walk off the end of the dirent buffer.

[riastradh <riastradh%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/8830f8c0a77e
branches:  trunk
changeset: 355401:8830f8c0a77e
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Fri Jul 28 15:37:23 2017 +0000

description:
Don't walk off the end of the dirent buffer.

>From Ilja Van Sprundel.

diffstat:

 sys/kern/vfs_getcwd.c |  7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

diffs (28 lines):

diff -r 45f28f9499a0 -r 8830f8c0a77e sys/kern/vfs_getcwd.c
--- a/sys/kern/vfs_getcwd.c     Fri Jul 28 15:34:06 2017 +0000
+++ b/sys/kern/vfs_getcwd.c     Fri Jul 28 15:37:23 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: vfs_getcwd.c,v 1.51 2017/06/01 02:45:13 chs Exp $ */
+/* $NetBSD: vfs_getcwd.c,v 1.52 2017/07/28 15:37:23 riastradh Exp $ */
 
 /*-
  * Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vfs_getcwd.c,v 1.51 2017/06/01 02:45:13 chs Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_getcwd.c,v 1.52 2017/07/28 15:37:23 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -211,7 +211,8 @@
                                reclen = dp->d_reclen;
 
                                /* check for malformed directory.. */
-                               if (reclen < _DIRENT_MINSIZE(dp)) {
+                               if (reclen < _DIRENT_MINSIZE(dp) ||
+                                   reclen > len) {
                                        error = EINVAL;
                                        goto out;
                                }