hptmv(4) Fix potential buffer overflow in hpt_set_info.

While here, adjust some whitespace and yeild some useful debug info.

This is untested on this hardware, testing requests to -scsi went
unanswered.

PR:	206585
Submitted by:	cturt@hardenedbsd.org
MFC after:	2 weeks

1 files changed, 11 insertions, 4 deletions

diff --git a/sys/dev/hptmv/hptproc.c b/sys/dev/hptmv/hptproc.c
index 3981b71..9e89756 100644
--- a/sys/dev/hptmv/hptproc.c
+++ b/sys/dev/hptmv/hptproc.c
@@ -308,7 +308,9 @@ hpt_set_info(int length)
 			/*
         	 	 * map buffer to kernel.
         	 	 */
-        		if (piop->nInBufferSize+piop->nOutBufferSize > PAGE_SIZE) {
+        		if (piop->nInBufferSize > PAGE_SIZE ||
+        			piop->nOutBufferSize > PAGE_SIZE ||
+        			piop->nInBufferSize+piop->nOutBufferSize > PAGE_SIZE) {
         			KdPrintE(("User buffer too large\n"));
         			return -EINVAL;
         		}
@@ -319,8 +321,13 @@ hpt_set_info(int length)
 					return -EINVAL;
 				}
 
-			if (piop->nInBufferSize)
-				copyin((void*)(ULONG_PTR)piop->lpInBuffer, ke_area, piop->nInBufferSize);
+			if (piop->nInBufferSize) {
+				if (copyin((void*)(ULONG_PTR)piop->lpInBuffer, ke_area, piop->nInBufferSize) != 0) {
+					KdPrintE(("Failed to copyin from lpInBuffer\n"));
+					free(ke_area, M_DEVBUF);
+					return -EFAULT;
+				}
+			}
 
 			/*
 			  * call kernel handler.
@@ -342,7 +349,7 @@ hpt_set_info(int length)
 			else  KdPrintW(("Kernel_ioctl(): return %d\n", err));
 
 			free(ke_area, M_DEVBUF);
-            		return -EINVAL;
+			return -EINVAL;
 		} else 	{
     		KdPrintW(("Wrong signature: %x\n", piop->Magic));
     		return -EINVAL;