diff options
author | sbruno <sbruno@FreeBSD.org> | 2016-04-18 23:26:11 +0000 |
---|---|---|
committer | sbruno <sbruno@FreeBSD.org> | 2016-04-18 23:26:11 +0000 |
commit | 022b7dfaf4a06a63ae3054117c2d72e1e16f50a5 (patch) | |
tree | e2b08022c32e7dbfb268f0e9573a8c714bd7d931 | |
parent | 2b75f57932d5da46b59518aea907b6f346debbf0 (diff) | |
download | FreeBSD-src-022b7dfaf4a06a63ae3054117c2d72e1e16f50a5.zip FreeBSD-src-022b7dfaf4a06a63ae3054117c2d72e1e16f50a5.tar.gz |
hptmv(4) Fix potential buffer overflow in hpt_set_info.
While here, adjust some whitespace and yeild some useful debug info.
This is untested on this hardware, testing requests to -scsi went
unanswered.
PR: 206585
Submitted by: cturt@hardenedbsd.org
MFC after: 2 weeks
-rw-r--r-- | sys/dev/hptmv/hptproc.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/sys/dev/hptmv/hptproc.c b/sys/dev/hptmv/hptproc.c index 3981b71..9e89756 100644 --- a/sys/dev/hptmv/hptproc.c +++ b/sys/dev/hptmv/hptproc.c @@ -308,7 +308,9 @@ hpt_set_info(int length) /* * map buffer to kernel. */ - if (piop->nInBufferSize+piop->nOutBufferSize > PAGE_SIZE) { + if (piop->nInBufferSize > PAGE_SIZE || + piop->nOutBufferSize > PAGE_SIZE || + piop->nInBufferSize+piop->nOutBufferSize > PAGE_SIZE) { KdPrintE(("User buffer too large\n")); return -EINVAL; } @@ -319,8 +321,13 @@ hpt_set_info(int length) return -EINVAL; } - if (piop->nInBufferSize) - copyin((void*)(ULONG_PTR)piop->lpInBuffer, ke_area, piop->nInBufferSize); + if (piop->nInBufferSize) { + if (copyin((void*)(ULONG_PTR)piop->lpInBuffer, ke_area, piop->nInBufferSize) != 0) { + KdPrintE(("Failed to copyin from lpInBuffer\n")); + free(ke_area, M_DEVBUF); + return -EFAULT; + } + } /* * call kernel handler. @@ -342,7 +349,7 @@ hpt_set_info(int length) else KdPrintW(("Kernel_ioctl(): return %d\n", err)); free(ke_area, M_DEVBUF); - return -EINVAL; + return -EINVAL; } else { KdPrintW(("Wrong signature: %x\n", piop->Magic)); return -EINVAL; |