From 2cbe44e441726abf568fbc4ca3cb5ab157ae7684 Mon Sep 17 00:00:00 2001
From: Roland McGrath <roland@redhat.com>
Date: Thu, 26 May 2005 23:21:09 +0000
Subject: [PATCH] 2005-05-26  Roland McGrath  <roland@redhat.com>

	* system.c (sys_sysctl): Check for errors accessing user pointers.
	Use malloc instead of alloca in case size is insane.
---
 system.c | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/system.c b/system.c
index 49e95b58..82c5499a 100644
--- a/system.c
+++ b/system.c
@@ -1822,10 +1822,20 @@ struct tcb *tcp;
 {
 	struct __sysctl_args info;
 	int *name;
-	umove (tcp, tcp->u_arg[0], &info);
-
-	name = alloca (sizeof (int) * info.nlen);
-	umoven(tcp, (size_t) info.name, sizeof (int) * info.nlen, (char *) name);
+	if (umove (tcp, tcp->u_arg[0], &info) < 0)
+		return printargs(tcp);
+
+	name = malloc (sizeof (int) * info.nlen);
+	if (name == NULL ||
+	    umoven(tcp, (unsigned long) info.name,
+		   sizeof (int) * info.nlen, (char *) name) < 0) {
+		if (name != NULL)
+			free(name);
+		tprintf("{%p, %d, %p, %p, %p, %Zu}",
+			info.name, info.nlen, info.oldval, info.oldlenp,
+			info.newval, info.newlen);
+		return 0;
+	}
 
 	if (entering(tcp)) {
 		int cnt = 0;
@@ -1950,6 +1960,8 @@ struct tcb *tcp;
 		}
 		tprintf("}");
 	}
+
+	free(name);
 	return 0;
 }
 #else
-- 
2.40.0