diff options
author | kris <kris@FreeBSD.org> | 2001-09-10 11:28:07 +0000 |
---|---|---|
committer | kris <kris@FreeBSD.org> | 2001-09-10 11:28:07 +0000 |
commit | bd6f9cb9b63e7a70079067566e50b59abc81ce16 (patch) | |
tree | fd84e8d4d01cdc0f4ba330211093170c75b99172 | |
parent | 335f7eeb6361cc1f5a1fd9251b0f63ef3451f5ba (diff) | |
download | FreeBSD-src-bd6f9cb9b63e7a70079067566e50b59abc81ce16.zip FreeBSD-src-bd6f9cb9b63e7a70079067566e50b59abc81ce16.tar.gz |
Fix some signed/unsigned integer confusion, and add bounds checking of
arguments to some functions.
Obtained from: NetBSD
Reviewed by: peter
MFC after: 2 weeks
-rw-r--r-- | sys/dev/ccd/ccd.c | 3 | ||||
-rw-r--r-- | sys/dev/mlx/mlx.c | 2 | ||||
-rw-r--r-- | sys/fs/umapfs/umap_vfsops.c | 6 | ||||
-rw-r--r-- | sys/geom/geom_ccd.c | 3 | ||||
-rw-r--r-- | sys/i386/include/i4b_ioctl.h | 1 | ||||
-rw-r--r-- | sys/i4b/include/i4b_ioctl.h | 1 | ||||
-rw-r--r-- | sys/i4b/layer4/i4b_i4bdrv.c | 7 | ||||
-rw-r--r-- | sys/kern/vfs_export.c | 5 | ||||
-rw-r--r-- | sys/net/if_ppp.c | 3 | ||||
-rw-r--r-- | sys/nfs/nfs.h | 8 | ||||
-rw-r--r-- | sys/nfsclient/nfs.h | 8 | ||||
-rw-r--r-- | sys/nfsclient/nfsargs.h | 8 | ||||
-rw-r--r-- | sys/nfsclient/nfsstats.h | 8 | ||||
-rw-r--r-- | sys/nfsserver/nfs.h | 8 | ||||
-rw-r--r-- | sys/nfsserver/nfsrvstats.h | 8 | ||||
-rw-r--r-- | sys/sys/ccdvar.h | 5 |
16 files changed, 57 insertions, 27 deletions
diff --git a/sys/dev/ccd/ccd.c b/sys/dev/ccd/ccd.c index 03f5a90..68df08e 100644 --- a/sys/dev/ccd/ccd.c +++ b/sys/dev/ccd/ccd.c @@ -1263,6 +1263,9 @@ ccdioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct proc *p) if ((error = ccdlock(cs)) != 0) return (error); + if (ccio->ccio_ndisks > CCD_MAXNDISKS) + return (EINVAL); + /* Fill in some important bits. */ cs->sc_ileave = ccio->ccio_ileave; if (cs->sc_ileave == 0 && diff --git a/sys/dev/mlx/mlx.c b/sys/dev/mlx/mlx.c index 189b787..b6ff7ea 100644 --- a/sys/dev/mlx/mlx.c +++ b/sys/dev/mlx/mlx.c @@ -1876,6 +1876,8 @@ mlx_user_command(struct mlx_softc *sc, struct mlx_usercommand *mu) /* if we need a buffer for data transfer, allocate one and copy in its initial contents */ if (mu->mu_datasize > 0) { + if (mu->mu_datasize > MAXPHYS) + return (EINVAL); if (((kbuf = malloc(mu->mu_datasize, M_DEVBUF, M_WAITOK)) == NULL) || (error = copyin(mu->mu_buf, kbuf, mu->mu_datasize))) goto out; diff --git a/sys/fs/umapfs/umap_vfsops.c b/sys/fs/umapfs/umap_vfsops.c index 6e01f3d..116ce16 100644 --- a/sys/fs/umapfs/umap_vfsops.c +++ b/sys/fs/umapfs/umap_vfsops.c @@ -167,6 +167,12 @@ umapfs_mount(mp, path, data, ndp, p) /* * Now copy in the number of entries and maps for umap mapping. */ + if (args.nentries > MAPFILEENTRIES || args.gnentries > + GMAPFILEENTRIES) { + vput(lowerrootvp); + return (error); + } + amp->info_nentries = args.nentries; amp->info_gnentries = args.gnentries; error = copyin(args.mapdata, (caddr_t)amp->info_mapdata, diff --git a/sys/geom/geom_ccd.c b/sys/geom/geom_ccd.c index 03f5a90..68df08e 100644 --- a/sys/geom/geom_ccd.c +++ b/sys/geom/geom_ccd.c @@ -1263,6 +1263,9 @@ ccdioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct proc *p) if ((error = ccdlock(cs)) != 0) return (error); + if (ccio->ccio_ndisks > CCD_MAXNDISKS) + return (EINVAL); + /* Fill in some important bits. */ cs->sc_ileave = ccio->ccio_ileave; if (cs->sc_ileave == 0 && diff --git a/sys/i386/include/i4b_ioctl.h b/sys/i386/include/i4b_ioctl.h index 9b062f1..e71c486 100644 --- a/sys/i386/include/i4b_ioctl.h +++ b/sys/i386/include/i4b_ioctl.h @@ -700,6 +700,7 @@ struct isdn_diagnostic_request { int controller; /* controller number */ u_int32_t cmd; /* diagnostic command to execute */ size_t in_param_len; /* length of additional input parameter */ +#define I4B_ACTIVE_DIAGNOSTIC_MAXPARAMLEN 65536 void *in_param; /* optional input parameter */ size_t out_param_len; /* available output space */ void *out_param; /* output data goes here */ diff --git a/sys/i4b/include/i4b_ioctl.h b/sys/i4b/include/i4b_ioctl.h index 9b062f1..e71c486 100644 --- a/sys/i4b/include/i4b_ioctl.h +++ b/sys/i4b/include/i4b_ioctl.h @@ -700,6 +700,7 @@ struct isdn_diagnostic_request { int controller; /* controller number */ u_int32_t cmd; /* diagnostic command to execute */ size_t in_param_len; /* length of additional input parameter */ +#define I4B_ACTIVE_DIAGNOSTIC_MAXPARAMLEN 65536 void *in_param; /* optional input parameter */ size_t out_param_len; /* available output space */ void *out_param; /* output data goes here */ diff --git a/sys/i4b/layer4/i4b_i4bdrv.c b/sys/i4b/layer4/i4b_i4bdrv.c index 71c200f..f26adf8 100644 --- a/sys/i4b/layer4/i4b_i4bdrv.c +++ b/sys/i4b/layer4/i4b_i4bdrv.c @@ -859,6 +859,13 @@ download_done: if(req.in_param_len) { + /* XXX arbitrary limit */ + if (req.in_param_len > + I4B_ACTIVE_DIAGNOSTIC_MAXPARAMLEN) { + error = EINVAL; + goto diag_done; + } + req.in_param = malloc(r->in_param_len, M_DEVBUF, M_WAITOK); if(!req.in_param) diff --git a/sys/kern/vfs_export.c b/sys/kern/vfs_export.c index 53e67fa..722dca2 100644 --- a/sys/kern/vfs_export.c +++ b/sys/kern/vfs_export.c @@ -44,6 +44,7 @@ #include <sys/kernel.h> #include <sys/socket.h> #include <sys/malloc.h> +#include <sys/mbuf.h> #include <sys/mount.h> #include <net/radix.h> #include <sys/domain.h> @@ -106,6 +107,10 @@ vfs_hang_addrlist(mp, nep, argp) mp->mnt_flag |= MNT_DEFEXPORTED; return (0); } + + if (argp->ex_addrlen > MLEN) + return (EINVAL); + i = sizeof(struct netcred) + argp->ex_addrlen + argp->ex_masklen; np = (struct netcred *) malloc(i, M_NETADDR, M_WAITOK | M_ZERO); saddr = (struct sockaddr *) (np + 1); diff --git a/sys/net/if_ppp.c b/sys/net/if_ppp.c index a501d1f..86c541b 100644 --- a/sys/net/if_ppp.c +++ b/sys/net/if_ppp.c @@ -345,7 +345,8 @@ pppioctl(sc, cmd, data, flag, p) int flag; struct proc *p; { - int s, flags, mru, nb, npx; + int s, flags, mru, npx; + u_int nb; int error = 0; struct ppp_option_data *odp; struct compressor **cp; diff --git a/sys/nfs/nfs.h b/sys/nfs/nfs.h index 2b0f664..44d04b9 100644 --- a/sys/nfs/nfs.h +++ b/sys/nfs/nfs.h @@ -198,9 +198,9 @@ struct nfsd_srvargs { uid_t nsd_uid; /* Effective uid mapped to cred */ u_int32_t nsd_haddr; /* Ip address of client */ struct xucred nsd_cr; /* Cred. uid maps to */ - int nsd_authlen; /* Length of auth string (ret) */ + u_int nsd_authlen; /* Length of auth string (ret) */ u_char *nsd_authstr; /* Auth string (ret) */ - int nsd_verflen; /* and the verfier */ + u_int nsd_verflen; /* and the verfier */ u_char *nsd_verfstr; struct timeval nsd_timestamp; /* timestamp from verifier */ u_int32_t nsd_ttl; /* credential ttl (sec) */ @@ -211,9 +211,9 @@ struct nfsd_cargs { char *ncd_dirp; /* Mount dir path */ uid_t ncd_authuid; /* Effective uid */ int ncd_authtype; /* Type of authenticator */ - int ncd_authlen; /* Length of authenticator string */ + u_int ncd_authlen; /* Length of authenticator string */ u_char *ncd_authstr; /* Authenticator string */ - int ncd_verflen; /* and the verifier */ + u_int ncd_verflen; /* and the verifier */ u_char *ncd_verfstr; NFSKERBKEY_T ncd_key; /* Session key */ }; diff --git a/sys/nfsclient/nfs.h b/sys/nfsclient/nfs.h index 2b0f664..44d04b9 100644 --- a/sys/nfsclient/nfs.h +++ b/sys/nfsclient/nfs.h @@ -198,9 +198,9 @@ struct nfsd_srvargs { uid_t nsd_uid; /* Effective uid mapped to cred */ u_int32_t nsd_haddr; /* Ip address of client */ struct xucred nsd_cr; /* Cred. uid maps to */ - int nsd_authlen; /* Length of auth string (ret) */ + u_int nsd_authlen; /* Length of auth string (ret) */ u_char *nsd_authstr; /* Auth string (ret) */ - int nsd_verflen; /* and the verfier */ + u_int nsd_verflen; /* and the verfier */ u_char *nsd_verfstr; struct timeval nsd_timestamp; /* timestamp from verifier */ u_int32_t nsd_ttl; /* credential ttl (sec) */ @@ -211,9 +211,9 @@ struct nfsd_cargs { char *ncd_dirp; /* Mount dir path */ uid_t ncd_authuid; /* Effective uid */ int ncd_authtype; /* Type of authenticator */ - int ncd_authlen; /* Length of authenticator string */ + u_int ncd_authlen; /* Length of authenticator string */ u_char *ncd_authstr; /* Authenticator string */ - int ncd_verflen; /* and the verifier */ + u_int ncd_verflen; /* and the verifier */ u_char *ncd_verfstr; NFSKERBKEY_T ncd_key; /* Session key */ }; diff --git a/sys/nfsclient/nfsargs.h b/sys/nfsclient/nfsargs.h index 2b0f664..44d04b9 100644 --- a/sys/nfsclient/nfsargs.h +++ b/sys/nfsclient/nfsargs.h @@ -198,9 +198,9 @@ struct nfsd_srvargs { uid_t nsd_uid; /* Effective uid mapped to cred */ u_int32_t nsd_haddr; /* Ip address of client */ struct xucred nsd_cr; /* Cred. uid maps to */ - int nsd_authlen; /* Length of auth string (ret) */ + u_int nsd_authlen; /* Length of auth string (ret) */ u_char *nsd_authstr; /* Auth string (ret) */ - int nsd_verflen; /* and the verfier */ + u_int nsd_verflen; /* and the verfier */ u_char *nsd_verfstr; struct timeval nsd_timestamp; /* timestamp from verifier */ u_int32_t nsd_ttl; /* credential ttl (sec) */ @@ -211,9 +211,9 @@ struct nfsd_cargs { char *ncd_dirp; /* Mount dir path */ uid_t ncd_authuid; /* Effective uid */ int ncd_authtype; /* Type of authenticator */ - int ncd_authlen; /* Length of authenticator string */ + u_int ncd_authlen; /* Length of authenticator string */ u_char *ncd_authstr; /* Authenticator string */ - int ncd_verflen; /* and the verifier */ + u_int ncd_verflen; /* and the verifier */ u_char *ncd_verfstr; NFSKERBKEY_T ncd_key; /* Session key */ }; diff --git a/sys/nfsclient/nfsstats.h b/sys/nfsclient/nfsstats.h index 2b0f664..44d04b9 100644 --- a/sys/nfsclient/nfsstats.h +++ b/sys/nfsclient/nfsstats.h @@ -198,9 +198,9 @@ struct nfsd_srvargs { uid_t nsd_uid; /* Effective uid mapped to cred */ u_int32_t nsd_haddr; /* Ip address of client */ struct xucred nsd_cr; /* Cred. uid maps to */ - int nsd_authlen; /* Length of auth string (ret) */ + u_int nsd_authlen; /* Length of auth string (ret) */ u_char *nsd_authstr; /* Auth string (ret) */ - int nsd_verflen; /* and the verfier */ + u_int nsd_verflen; /* and the verfier */ u_char *nsd_verfstr; struct timeval nsd_timestamp; /* timestamp from verifier */ u_int32_t nsd_ttl; /* credential ttl (sec) */ @@ -211,9 +211,9 @@ struct nfsd_cargs { char *ncd_dirp; /* Mount dir path */ uid_t ncd_authuid; /* Effective uid */ int ncd_authtype; /* Type of authenticator */ - int ncd_authlen; /* Length of authenticator string */ + u_int ncd_authlen; /* Length of authenticator string */ u_char *ncd_authstr; /* Authenticator string */ - int ncd_verflen; /* and the verifier */ + u_int ncd_verflen; /* and the verifier */ u_char *ncd_verfstr; NFSKERBKEY_T ncd_key; /* Session key */ }; diff --git a/sys/nfsserver/nfs.h b/sys/nfsserver/nfs.h index 2b0f664..44d04b9 100644 --- a/sys/nfsserver/nfs.h +++ b/sys/nfsserver/nfs.h @@ -198,9 +198,9 @@ struct nfsd_srvargs { uid_t nsd_uid; /* Effective uid mapped to cred */ u_int32_t nsd_haddr; /* Ip address of client */ struct xucred nsd_cr; /* Cred. uid maps to */ - int nsd_authlen; /* Length of auth string (ret) */ + u_int nsd_authlen; /* Length of auth string (ret) */ u_char *nsd_authstr; /* Auth string (ret) */ - int nsd_verflen; /* and the verfier */ + u_int nsd_verflen; /* and the verfier */ u_char *nsd_verfstr; struct timeval nsd_timestamp; /* timestamp from verifier */ u_int32_t nsd_ttl; /* credential ttl (sec) */ @@ -211,9 +211,9 @@ struct nfsd_cargs { char *ncd_dirp; /* Mount dir path */ uid_t ncd_authuid; /* Effective uid */ int ncd_authtype; /* Type of authenticator */ - int ncd_authlen; /* Length of authenticator string */ + u_int ncd_authlen; /* Length of authenticator string */ u_char *ncd_authstr; /* Authenticator string */ - int ncd_verflen; /* and the verifier */ + u_int ncd_verflen; /* and the verifier */ u_char *ncd_verfstr; NFSKERBKEY_T ncd_key; /* Session key */ }; diff --git a/sys/nfsserver/nfsrvstats.h b/sys/nfsserver/nfsrvstats.h index 2b0f664..44d04b9 100644 --- a/sys/nfsserver/nfsrvstats.h +++ b/sys/nfsserver/nfsrvstats.h @@ -198,9 +198,9 @@ struct nfsd_srvargs { uid_t nsd_uid; /* Effective uid mapped to cred */ u_int32_t nsd_haddr; /* Ip address of client */ struct xucred nsd_cr; /* Cred. uid maps to */ - int nsd_authlen; /* Length of auth string (ret) */ + u_int nsd_authlen; /* Length of auth string (ret) */ u_char *nsd_authstr; /* Auth string (ret) */ - int nsd_verflen; /* and the verfier */ + u_int nsd_verflen; /* and the verfier */ u_char *nsd_verfstr; struct timeval nsd_timestamp; /* timestamp from verifier */ u_int32_t nsd_ttl; /* credential ttl (sec) */ @@ -211,9 +211,9 @@ struct nfsd_cargs { char *ncd_dirp; /* Mount dir path */ uid_t ncd_authuid; /* Effective uid */ int ncd_authtype; /* Type of authenticator */ - int ncd_authlen; /* Length of authenticator string */ + u_int ncd_authlen; /* Length of authenticator string */ u_char *ncd_authstr; /* Authenticator string */ - int ncd_verflen; /* and the verifier */ + u_int ncd_verflen; /* and the verifier */ u_char *ncd_verfstr; NFSKERBKEY_T ncd_key; /* Session key */ }; diff --git a/sys/sys/ccdvar.h b/sys/sys/ccdvar.h index 268ad7f..bfa9577 100644 --- a/sys/sys/ccdvar.h +++ b/sys/sys/ccdvar.h @@ -90,7 +90,7 @@ */ struct ccd_ioctl { char **ccio_disks; /* pointer to component paths */ - int ccio_ndisks; /* number of disks to concatenate */ + u_int ccio_ndisks; /* number of disks to concatenate */ int ccio_ileave; /* interleave (DEV_BSIZE blocks) */ int ccio_flags; /* misc. information */ int ccio_unit; /* unit number: use varies */ @@ -167,7 +167,8 @@ struct ccd_s { int sc_cflags; /* configuration flags */ size_t sc_size; /* size of ccd */ int sc_ileave; /* interleave */ - int sc_nccdisks; /* number of components */ + u_int sc_nccdisks; /* number of components */ +#define CCD_MAXNDISKS 65536 struct ccdcinfo *sc_cinfo; /* component info */ struct ccdiinfo *sc_itable; /* interleave table */ struct devstat device_stats; /* device statistics */ |