Change Details

CID 1498397 reports that an out-of-bounds access in case of a OID that has 23 or 24 elements. Such OIDs do not exist, but could be created (e.g. by a malicious driver trying to exploit this bug by creating a deep sysctl sub-tree). Since the fetched OID name fits into an array of length CTL_MAXNAME, there is no reason to allocate more than that number of elements for name2. In that case, name1 will be large enough to hold the two initial elements and the elements from name2.

CID 1498397 reports that an out-of-bounds access happens in case of an OID that has more than 24 elements. Such OIDs do not exist, but could be created (e.g. by a malicious driver trying to exploit this bug by creating a deep sysctl sub-tree). Since the fetched OID name fits into an array of length CTL_MAXNAME, there is no reason to allocate more than that number of elements for name2. In that case, name1 will be large enough to hold the two initial elements and the elements from name2.

CID 1498397 reports that an out-of-bounds access happens in case of an OID that has 23 ormore than 24 elements. Such OIDs do not exist, but could be created (e.g. by a malicious driver trying to exploit this bug by creating a deep sysctl sub-tree). Since the fetched OID name fits into an array of length CTL_MAXNAME, there is no reason to allocate more than that number of elements for name2. In that case, name1 will be large enough to hold the two initial elements and the elements from name2.