MFC r300612

Reject ioctl commands for FLSHGCHR and FLSHPCHR if the size is greater than sc->areq. This is a bounds check to ensure we're not just cramming arbitrarily sized nonsense into the driver and overflowing the heap. PR: 209545
author: sbruno <sbruno@FreeBSD.org> 2016-07-22 03:26:01 +0000
committer: sbruno <sbruno@FreeBSD.org> 2016-07-22 03:26:01 +0000
commit: 7a0632638b915e94b08bea034bdfd2e61b035263 (patch)
tree: a9a634e31a5b7bd31ffc36d7252d934679968819
parent: 9547b1a0b336439094080e9f10f41f8f110b262e (diff)
download: FreeBSD-src-7a0632638b915e94b08bea034bdfd2e61b035263.zip
FreeBSD-src-7a0632638b915e94b08bea034bdfd2e61b035263.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/sys/dev/an/if_an.c b/sys/dev/an/if_an.c
index ee40c69..b5b9881 100644
--- a/sys/dev/an/if_an.c
+++ b/sys/dev/an/if_an.c
@@ -3777,6 +3777,9 @@ flashcard(struct ifnet *ifp, struct aironet_ioctl *l_ioctl)
 			return ENOBUFS;
 		break;
 	case AIROFLSHGCHR:	/* Get char from aux */
+		if (l_ioctl->len > sizeof(sc->areq)) {
+			return -EINVAL;
+		}
 		AN_UNLOCK(sc);
 		status = copyin(l_ioctl->data, &sc->areq, l_ioctl->len);
 		AN_LOCK(sc);
@@ -3788,6 +3791,9 @@ flashcard(struct ifnet *ifp, struct aironet_ioctl *l_ioctl)
 		else
 			return -1;
 	case AIROFLSHPCHR:	/* Send char to card. */
+		if (l_ioctl->len > sizeof(sc->areq)) {
+			return -EINVAL;
+		}
 		AN_UNLOCK(sc);
 		status = copyin(l_ioctl->data, &sc->areq, l_ioctl->len);
 		AN_LOCK(sc);
author	sbruno <sbruno@FreeBSD.org>	2016-07-22 03:26:01 +0000
committer	sbruno <sbruno@FreeBSD.org>	2016-07-22 03:26:01 +0000
commit	7a0632638b915e94b08bea034bdfd2e61b035263 (patch)
tree	a9a634e31a5b7bd31ffc36d7252d934679968819
parent	9547b1a0b336439094080e9f10f41f8f110b262e (diff)
download	FreeBSD-src-7a0632638b915e94b08bea034bdfd2e61b035263.zip FreeBSD-src-7a0632638b915e94b08bea034bdfd2e61b035263.tar.gz