diff options
author | mav <mav@FreeBSD.org> | 2009-07-16 19:48:39 +0000 |
---|---|---|
committer | mav <mav@FreeBSD.org> | 2009-07-16 19:48:39 +0000 |
commit | d2202065d565efbe0f640ffbfe6c3fba617cf3d0 (patch) | |
tree | 4f85b933808bed917d808d318cbba7cb1efa76a4 | |
parent | 86904ca4632461c015b501d0a757251cd3677b40 (diff) | |
download | FreeBSD-src-d2202065d565efbe0f640ffbfe6c3fba617cf3d0.zip FreeBSD-src-d2202065d565efbe0f640ffbfe6c3fba617cf3d0.tar.gz |
Limit IOCATAREQUEST ioctl data size to controller's maximum I/O size.
It fixes kernel panic when requested size is too large (0xffffffff),
PR: kern/136726
Approved by: re (kib)
MFC after: 2 weeks
-rw-r--r-- | sys/dev/ata/ata-all.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/sys/dev/ata/ata-all.c b/sys/dev/ata/ata-all.c index 4530767..383060c 100644 --- a/sys/dev/ata/ata-all.c +++ b/sys/dev/ata/ata-all.c @@ -472,6 +472,7 @@ int ata_device_ioctl(device_t dev, u_long cmd, caddr_t data) { struct ata_device *atadev = device_get_softc(dev); + struct ata_channel *ch = device_get_softc(device_get_parent(dev)); struct ata_ioc_request *ioc_request = (struct ata_ioc_request *)data; struct ata_params *params = (struct ata_params *)data; int *mode = (int *)data; @@ -481,6 +482,10 @@ ata_device_ioctl(device_t dev, u_long cmd, caddr_t data) switch (cmd) { case IOCATAREQUEST: + if (ioc_request->count > + (ch->dma.max_iosize ? ch->dma.max_iosize : DFLTPHYS)) { + return (EFBIG); + } if (!(buf = malloc(ioc_request->count, M_ATA, M_NOWAIT))) { return ENOMEM; } |