diff options
author | pjd <pjd@FreeBSD.org> | 2005-06-11 14:58:20 +0000 |
---|---|---|
committer | pjd <pjd@FreeBSD.org> | 2005-06-11 14:58:20 +0000 |
commit | be79126844179d84dda297cece04bb6d2462eb03 (patch) | |
tree | ba08cbe1479ab6475a323dcd20c59c880dafee4d /sys/alpha | |
parent | e5e29d142df527fb60c2bf5787693048c03ccd91 (diff) | |
download | FreeBSD-src-be79126844179d84dda297cece04bb6d2462eb03.zip FreeBSD-src-be79126844179d84dda297cece04bb6d2462eb03.tar.gz |
Do not allocate memory based on not-checked argument from userland.
It can be used to panic the kernel by giving too big value.
Fix it by moving allocation and size verification into kern_getfsstat().
This even simplifies kern_getfsstat() consumers, but destroys symmetry -
memory is allocated inside kern_getfsstat(), but has to be freed by the
caller.
Found by: FreeBSD Kernel Stress Test Suite: http://www.holm.cc/stress/
Reported by: Peter Holm <peter@holm.cc>
Diffstat (limited to 'sys/alpha')
-rw-r--r-- | sys/alpha/osf1/osf1_mount.c | 8 |
1 files changed, 2 insertions, 6 deletions
diff --git a/sys/alpha/osf1/osf1_mount.c b/sys/alpha/osf1/osf1_mount.c index 05c91ff..d0ef281 100644 --- a/sys/alpha/osf1/osf1_mount.c +++ b/sys/alpha/osf1/osf1_mount.c @@ -170,12 +170,8 @@ osf1_getfsstat(td, uap) count = uap->bufsize / sizeof(struct osf1_statfs); size = count * sizeof(struct statfs); - if (size > 0) - buf = malloc(size, M_TEMP, M_WAITOK); - else - buf = NULL; - error = kern_getfsstat(td, buf, size, UIO_SYSSPACE, flags); - if (buf != NULL) { + error = kern_getfsstat(td, &buf, size, UIO_SYSSPACE, flags); + if (size > 0) { count = td->td_retval[0]; sp = buf; while (count > 0 && error == 0) { |