diff options
author | cperciva <cperciva@FreeBSD.org> | 2005-05-06 02:40:18 +0000 |
---|---|---|
committer | cperciva <cperciva@FreeBSD.org> | 2005-05-06 02:40:18 +0000 |
commit | e4a28513e82eb23a2f1155a31e13cd9091ff21be (patch) | |
tree | 54217cd7143ee5fc8db783d3973bc6dfbfa7f806 | |
parent | dd36aac93b9ee7914a2581ce92df7ea3118a8b19 (diff) | |
download | FreeBSD-src-e4a28513e82eb23a2f1155a31e13cd9091ff21be.zip FreeBSD-src-e4a28513e82eb23a2f1155a31e13cd9091ff21be.tar.gz |
Correctly validate inputs to the i386_get_ldt syscall.
Security: FreeBSD-SA-05:07.ldt
-rw-r--r-- | sys/i386/i386/sys_machdep.c | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/sys/i386/i386/sys_machdep.c b/sys/i386/i386/sys_machdep.c index 22f7024..1f4e907 100644 --- a/sys/i386/i386/sys_machdep.c +++ b/sys/i386/i386/sys_machdep.c @@ -476,10 +476,6 @@ i386_get_ldt(td, uap) uap->start, uap->num, (void *)uap->descs); #endif - /* verify range of LDTs exist */ - if ((uap->start < 0) || (uap->num <= 0)) - return(EINVAL); - if (pldt) { nldt = pldt->ldt_len; num = min(uap->num, nldt); @@ -489,7 +485,10 @@ i386_get_ldt(td, uap) num = min(uap->num, nldt); lp = &ldt[uap->start]; } - if (uap->start + num > nldt) + + if ((uap->start > (unsigned int)nldt) || + ((unsigned int)num > (unsigned int)nldt) || + ((unsigned int)(uap->start + num) > (unsigned int)nldt)) return(EINVAL); error = copyout(lp, uap->descs, num * sizeof(union descriptor)); |