Ensure that the supplied data length is large enough to hold the base

FPU state to avoid passing a negative length to fpusetregs() / npxsetregs(). Differential Revision: https://reviews.freebsd.org/D1861 Reviewed by: kib, emaste
author: jhb <jhb@FreeBSD.org> 2015-02-18 23:34:03 +0000
committer: jhb <jhb@FreeBSD.org> 2015-02-18 23:34:03 +0000
commit: 4145efe339257de7b699d476ad4581458f9236bb (patch)
tree: 790b9a772fcddf67eaf06dacb190625d8263ae4a
parent: ecddca17cc000eb3b238ce89a41afe33e6c5ac55 (diff)
download: FreeBSD-src-4145efe339257de7b699d476ad4581458f9236bb.zip
FreeBSD-src-4145efe339257de7b699d476ad4581458f9236bb.tar.gz
2 files changed, 4 insertions, 2 deletions
diff --git a/sys/amd64/amd64/ptrace_machdep.c b/sys/amd64/amd64/ptrace_machdep.c
index c96fe26..4cd5bf2 100644
--- a/sys/amd64/amd64/ptrace_machdep.c
+++ b/sys/amd64/amd64/ptrace_machdep.c
@@ -88,7 +88,8 @@ cpu_ptrace_xstate(struct thread *td, int req, void *addr, int data)
 		break;
 
 	case PT_SETXSTATE:
-		if (data > cpu_max_ext_state_size) {
+		if (data < sizeof(struct savefpu) ||
+		    data > cpu_max_ext_state_size) {
 			error = EINVAL;
 			break;
 		}
diff --git a/sys/i386/i386/ptrace_machdep.c b/sys/i386/i386/ptrace_machdep.c
index 5cfeb4c..e6248a2 100644
--- a/sys/i386/i386/ptrace_machdep.c
+++ b/sys/i386/i386/ptrace_machdep.c
@@ -92,7 +92,8 @@ cpu_ptrace_xstate(struct thread *td, int req, void *addr, int data)
 		break;
 
 	case PT_SETXSTATE:
-		if (data > cpu_max_ext_state_size) {
+		if (data < sizeof(union savefpu) ||
+		    data > cpu_max_ext_state_size) {
 			error = EINVAL;
 			break;
 		}
author	jhb <jhb@FreeBSD.org>	2015-02-18 23:34:03 +0000
committer	jhb <jhb@FreeBSD.org>	2015-02-18 23:34:03 +0000
commit	4145efe339257de7b699d476ad4581458f9236bb (patch)
tree	790b9a772fcddf67eaf06dacb190625d8263ae4a
parent	ecddca17cc000eb3b238ce89a41afe33e6c5ac55 (diff)
download	FreeBSD-src-4145efe339257de7b699d476ad4581458f9236bb.zip FreeBSD-src-4145efe339257de7b699d476ad4581458f9236bb.tar.gz