diff options
| author | bde <bde@FreeBSD.org> | 1997-03-16 19:11:40 +0000 |
|---|---|---|
| committer | bde <bde@FreeBSD.org> | 1997-03-16 19:11:40 +0000 |
| commit | e90724566c471cb91159cccf9b2e87cbfdaa7b1c (patch) | |
| tree | 543e8cd4761a6ba21bb636cdd2c8782e3a79270e | |
| parent | 46daec6a8a7b1e2d0651eccce172452715b15f3e (diff) | |
| download | FreeBSD-src-e90724566c471cb91159cccf9b2e87cbfdaa7b1c.zip FreeBSD-src-e90724566c471cb91159cccf9b2e87cbfdaa7b1c.tar.gz | |
Fixed null pointer panic in devtotty(). Fixed bounds checking in
devtotty(). devtotty() must check its arg carefully since the arg is
supplied as ioctl data. This should fix PR3004.
Renamed devtotty() to snpdevtotty().
| -rw-r--r-- | sys/dev/snp/snp.c | 20 | ||||
| -rw-r--r-- | sys/kern/tty_snoop.c | 20 |
2 files changed, 26 insertions, 14 deletions
diff --git a/sys/dev/snp/snp.c b/sys/dev/snp/snp.c index c09ccd7..0e14b60 100644 --- a/sys/dev/snp/snp.c +++ b/sys/dev/snp/snp.c @@ -54,17 +54,23 @@ static struct cdevsw snp_cdevsw = static struct snoop snoopsw[NSNP]; -static struct tty *devtotty __P((dev_t dev)); +static struct tty *snpdevtotty __P((dev_t dev)); static int snp_detach __P((struct snoop *snp)); static struct tty * -devtotty (dev) +snpdevtotty (dev) dev_t dev; { - if (major(dev) > nchrdev) - return (NULL); /* no such device available */ - - return (*cdevsw[major(dev)]->d_devtotty)(dev); + struct cdevsw *cdp; + int maj; + + maj = major(dev); + if ((u_int)maj >= nchrdev) + return (NULL); + cdp = cdevsw[maj]; + if (cdp == NULL) + return (NULL); + return ((*cdp->d_devtotty)(dev)); } #define SNP_INPUT_BUF 5 /* This is even too much,the maximal @@ -404,7 +410,7 @@ snpioctl(dev, cmd, data, flags, p) if (tdev == -1) return (snpdown(snp)); - tp = devtotty(tdev); + tp = snpdevtotty(tdev); if (!tp) return (EINVAL); diff --git a/sys/kern/tty_snoop.c b/sys/kern/tty_snoop.c index c09ccd7..0e14b60 100644 --- a/sys/kern/tty_snoop.c +++ b/sys/kern/tty_snoop.c @@ -54,17 +54,23 @@ static struct cdevsw snp_cdevsw = static struct snoop snoopsw[NSNP]; -static struct tty *devtotty __P((dev_t dev)); +static struct tty *snpdevtotty __P((dev_t dev)); static int snp_detach __P((struct snoop *snp)); static struct tty * -devtotty (dev) +snpdevtotty (dev) dev_t dev; { - if (major(dev) > nchrdev) - return (NULL); /* no such device available */ - - return (*cdevsw[major(dev)]->d_devtotty)(dev); + struct cdevsw *cdp; + int maj; + + maj = major(dev); + if ((u_int)maj >= nchrdev) + return (NULL); + cdp = cdevsw[maj]; + if (cdp == NULL) + return (NULL); + return ((*cdp->d_devtotty)(dev)); } #define SNP_INPUT_BUF 5 /* This is even too much,the maximal @@ -404,7 +410,7 @@ snpioctl(dev, cmd, data, flags, p) if (tdev == -1) return (snpdown(snp)); - tp = devtotty(tdev); + tp = snpdevtotty(tdev); if (!tp) return (EINVAL); |
