1
Index: sys/kern/kern_environment.c
2
===================================================================
3
--- sys/kern/kern_environment.c	(revision 190221)
4
+++ sys/kern/kern_environment.c	(working copy)
5
@@ -87,7 +87,7 @@
6
 	} */ *uap;
7
 {
8
 	char *name, *value, *buffer = NULL;
9
-	size_t len, done, needed;
10
+	size_t len, done, needed, buflen;
11
 	int error, i;
12
 
13
 	KASSERT(dynamic_kenv, ("kenv: dynamic_kenv = 0"));
14
@@ -100,13 +100,17 @@
15
 			return (error);
16
 #endif
17
 		done = needed = 0;
18
+		buflen = uap->len;
19
+		if (buflen > KENV_SIZE * (KENV_MNAMELEN + KENV_MVALLEN + 2))
20
+			buflen = KENV_SIZE * (KENV_MNAMELEN +
21
+			    KENV_MVALLEN + 2);
22
 		if (uap->len > 0 && uap->value != NULL)
23
-			buffer = malloc(uap->len, M_TEMP, M_WAITOK|M_ZERO);
24
+			buffer = malloc(buflen, M_TEMP, M_WAITOK|M_ZERO);
25
 		mtx_lock(&kenv_lock);
26
 		for (i = 0; kenvp[i] != NULL; i++) {
27
 			len = strlen(kenvp[i]) + 1;
28
 			needed += len;
29
-			len = min(len, uap->len - done);
30
+			len = min(len, buflen - done);
31
 			/*
32
 			 * If called with a NULL or insufficiently large
33
 			 * buffer, just keep computing the required size.
34

35