Index: sys/miscfs/procfs/procfs_status.c =================================================================== RCS file: /home/ncvs/src/sys/miscfs/procfs/Attic/procfs_status.c,v retrieving revision 1.20.2.5 diff -u -p -u -r1.20.2.5 procfs_status.c --- sys/miscfs/procfs/procfs_status.c 2 Oct 2003 16:49:49 -0000 1.20.2.5 +++ sys/miscfs/procfs/procfs_status.c 27 Nov 2004 14:20:17 -0000 @@ -186,6 +186,7 @@ procfs_docmdline(curp, p, pfs, uio) char *buf, *bp; int buflen; struct ps_strings pstr; + char **ps_argvstr; int i; size_t bytes_left, done; @@ -223,9 +224,22 @@ procfs_docmdline(curp, p, pfs, uio) FREE(buf, M_TEMP); return (error); } + if (pstr.ps_nargvstr > ARG_MAX) { + FREE(buf, M_TEMP); + return (E2BIG); + } + MALLOC(ps_argvstr, char **, pstr.ps_nargvstr * sizeof(char *), + M_TEMP, M_WAITOK); + error = copyin((void *)pstr.ps_argvstr, ps_argvstr, + pstr.ps_nargvstr * sizeof(char *)); + if (error) { + FREE(ps_argvstr, M_TEMP); + FREE(buf, M_TEMP); + return (error); + } bytes_left = buflen; for (i = 0; bytes_left && (i < pstr.ps_nargvstr); i++) { - error = copyinstr(pstr.ps_argvstr[i], ps, + error = copyinstr(ps_argvstr[i], ps, bytes_left, &done); /* If too long or malformed, just truncate */ if (error) { @@ -236,6 +250,7 @@ procfs_docmdline(curp, p, pfs, uio) bytes_left -= done; } buflen = ps - buf; + FREE(ps_argvstr, M_TEMP); } error = uiomove_frombuf(bp, buflen, uio);