Apply by doing:
cd /usr/src
patch -p0 < 014_systrace.patch
And then rebuild your kernel.
Index: sys/dev/systrace.c
===================================================================
RCS file: /cvs/src/sys/dev/systrace.c,v
retrieving revision 1.38
retrieving revision 1.38.2.1
diff -u -p -r1.38 -r1.38.2.1
--- sys/dev/systrace.c 17 Apr 2005 22:11:34 -0000 1.38
+++ sys/dev/systrace.c 6 Oct 2006 05:53:37 -0000 1.38.2.1
@@ -1360,9 +1360,16 @@ systrace_preprepl(struct str_process *st
return (EINVAL);
for (i = 0, len = 0; i < repl->strr_nrepl; i++) {
- len += repl->strr_offlen[i];
+ if (repl->strr_argind[i] < 0 ||
+ repl->strr_argind[i] >= SYSTR_MAXARGS)
+ return (EINVAL);
if (repl->strr_offlen[i] == 0)
continue;
+ len += repl->strr_offlen[i];
+ if (repl->strr_offlen[i] > SYSTR_MAXREPLEN ||
+ repl->strr_off[i] > SYSTR_MAXREPLEN ||
+ len > SYSTR_MAXREPLEN)
+ return (EINVAL);
if (repl->strr_offlen[i] + repl->strr_off[i] > len)
return (EINVAL);
}
@@ -1372,7 +1379,7 @@ systrace_preprepl(struct str_process *st
return (EINVAL);
/* Check against a maximum length */
- if (repl->strr_len > 2048)
+ if (repl->strr_len > SYSTR_MAXREPLEN)
return (EINVAL);
strp->replace = (struct systrace_replace *)
@@ -1407,6 +1414,10 @@ systrace_replace(struct str_process *str
maxarg = argsize/sizeof(register_t);
ubase = stackgap_alloc(&strp->sg, repl->strr_len);
+ if (ubase == NULL) {
+ ret = EINVAL;
+ goto out;
+ }
kbase = repl->strr_base;
for (i = 0; i < maxarg && i < repl->strr_nrepl; i++) {
Index: sys/dev/systrace.h
===================================================================
RCS file: /cvs/src/sys/dev/systrace.h,v
retrieving revision 1.18
retrieving revision 1.18.4.1
diff -u -p -r1.18 -r1.18.4.1
--- sys/dev/systrace.h 7 Nov 2004 20:39:31 -0000 1.18
+++ sys/dev/systrace.h 6 Oct 2006 05:53:38 -0000 1.18.4.1
@@ -53,6 +53,7 @@ struct str_msg_execve {
#define SYSTR_MAXARGS 64
#define SYSTR_MAXFNAME 8
#define SYSTR_MAXINJECTS 8
+#define SYSTR_MAXREPLEN 2048
struct str_msg_ask {
int code;
