diff options
| author | nectar <nectar@FreeBSD.org> | 2003-08-10 23:04:55 +0000 |
|---|---|---|
| committer | nectar <nectar@FreeBSD.org> | 2003-08-10 23:04:55 +0000 |
| commit | f5b9f87e772a6fcee8bcad474c3fd99d063c15d4 (patch) | |
| tree | 12f0209fc6a10880cdeb076f627efa787cd2a715 | |
| parent | 09416455b19e2f92a8958f72868349089319992a (diff) | |
| download | FreeBSD-src-f5b9f87e772a6fcee8bcad474c3fd99d063c15d4.zip FreeBSD-src-f5b9f87e772a6fcee8bcad474c3fd99d063c15d4.tar.gz | |
Add or correct range checking of signal numbers in system calls and
ioctls.
In the particular case of ptrace(), this commit more-or-less reverts
revision 1.53 of sys_process.c, which appears to have been erroneous.
Reviewed by: iedowse, jhb
| -rw-r--r-- | sys/dev/bktr/bktr_core.c | 2 | ||||
| -rw-r--r-- | sys/i386/isa/spigot.c | 2 | ||||
| -rw-r--r-- | sys/kern/sys_process.c | 4 | ||||
| -rw-r--r-- | sys/pci/meteor.c | 2 |
4 files changed, 7 insertions, 3 deletions
diff --git a/sys/dev/bktr/bktr_core.c b/sys/dev/bktr/bktr_core.c index a8f8a42..830207e 100644 --- a/sys/dev/bktr/bktr_core.c +++ b/sys/dev/bktr/bktr_core.c @@ -1553,7 +1553,7 @@ video_ioctl( bktr_ptr_t bktr, int unit, ioctl_cmd_t cmd, caddr_t arg, struct thr break; case METEORSSIGNAL: - if(*(int *)arg == 0 || *(int *)arg >= NSIG) { + if(*(int *)arg <= 0 || *(int *)arg > _SIG_MAXSIG) { return( EINVAL ); break; } diff --git a/sys/i386/isa/spigot.c b/sys/i386/isa/spigot.c index b07066b..0b568f3 100644 --- a/sys/i386/isa/spigot.c +++ b/sys/i386/isa/spigot.c @@ -222,6 +222,8 @@ struct spigot_info *info; if(!data) return(EINVAL); switch(cmd){ case SPIGOT_SETINT: + if (*(int *)data < 0 || *(int *)data > _SIG_MAXSIG) + return EINVAL; ss->p = td->td_proc; ss->signal_num = *((int *)data); break; diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c index 3e38319..bdecbf3 100644 --- a/sys/kern/sys_process.c +++ b/sys/kern/sys_process.c @@ -525,8 +525,8 @@ kern_ptrace(struct thread *td, int req, pid_t pid, void *addr, int data) case PT_STEP: case PT_CONTINUE: case PT_DETACH: - /* XXX data is used even in the PT_STEP case. */ - if (req != PT_STEP && (unsigned)data > _SIG_MAXSIG) { + /* Zero means do not send any signal */ + if (data < 0 || data > _SIG_MAXSIG) { error = EINVAL; goto fail; } diff --git a/sys/pci/meteor.c b/sys/pci/meteor.c index 670945a..62666cc 100644 --- a/sys/pci/meteor.c +++ b/sys/pci/meteor.c @@ -1392,6 +1392,8 @@ meteor_ioctl(dev_t dev, u_long cmd, caddr_t arg, int flag, struct thread *td) *(u_short *)arg = mtr->fps; break; case METEORSSIGNAL: + if (*(int *)arg < 0 || *(int *)arg > _SIG_MAXSIG) + return EINVAL; mtr->signal = *(int *) arg; if (mtr->signal) { mtr->proc = td->td_proc; |
