diff options
author | trociny <trociny@FreeBSD.org> | 2011-04-10 15:21:46 +0000 |
---|---|---|
committer | trociny <trociny@FreeBSD.org> | 2011-04-10 15:21:46 +0000 |
commit | cbdb24d2fbc9008ffc92de086967143e2226a214 (patch) | |
tree | 4e5ebdd8d834e2b0fca07eb50f74015606d8c0c5 /sbin/hastd/hast_proto.c | |
parent | 4ff6b11c089cbc6dbeade35b723f6bce514886a1 (diff) | |
download | FreeBSD-src-cbdb24d2fbc9008ffc92de086967143e2226a214.zip FreeBSD-src-cbdb24d2fbc9008ffc92de086967143e2226a214.tar.gz |
In hast_proto_recv_data() check that the size of the data to be
received does not exceed the buffer size.
Approved by: pjd (mentor)
MFC after: 1 week
Diffstat (limited to 'sbin/hastd/hast_proto.c')
-rw-r--r-- | sbin/hastd/hast_proto.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/sbin/hastd/hast_proto.c b/sbin/hastd/hast_proto.c index a7e1449..768fb2b 100644 --- a/sbin/hastd/hast_proto.c +++ b/sbin/hastd/hast_proto.c @@ -189,9 +189,12 @@ hast_proto_recv_data(const struct hast_resource *res, struct proto_conn *conn, dptr = data; dsize = nv_get_uint32(nv, "size"); - if (dsize == 0) + if (dsize > size) { + errno = EINVAL; + goto end; + } else if (dsize == 0) { (void)nv_set_error(nv, 0); - else { + } else { if (proto_recv(conn, data, dsize) < 0) goto end; for (ii = sizeof(pipeline) / sizeof(pipeline[0]); ii > 0; |