Do not allocate memory based on not-checked argument from userland.

It can be used to panic the kernel by giving too big value. Fix it by moving allocation and size verification into kern_getfsstat(). This even simplifies kern_getfsstat() consumers, but destroys symmetry - memory is allocated inside kern_getfsstat(), but has to be freed by the caller. Found by: FreeBSD Kernel Stress Test Suite: http://www.holm.cc/stress/ Reported by: Peter Holm <peter@holm.cc>
author: pjd <pjd@FreeBSD.org> 2005-06-11 14:58:20 +0000
committer: pjd <pjd@FreeBSD.org> 2005-06-11 14:58:20 +0000
commit: be79126844179d84dda297cece04bb6d2462eb03 (patch)
tree: ba08cbe1479ab6475a323dcd20c59c880dafee4d /sys/alpha
parent: e5e29d142df527fb60c2bf5787693048c03ccd91 (diff)
download: FreeBSD-src-be79126844179d84dda297cece04bb6d2462eb03.zip
FreeBSD-src-be79126844179d84dda297cece04bb6d2462eb03.tar.gz
1 files changed, 2 insertions, 6 deletions
diff --git a/sys/alpha/osf1/osf1_mount.c b/sys/alpha/osf1/osf1_mount.c
index 05c91ff..d0ef281 100644
--- a/sys/alpha/osf1/osf1_mount.c
+++ b/sys/alpha/osf1/osf1_mount.c
@@ -170,12 +170,8 @@ osf1_getfsstat(td, uap)
 
 	count = uap->bufsize / sizeof(struct osf1_statfs);
 	size = count * sizeof(struct statfs);
-	if (size > 0)
-		buf = malloc(size, M_TEMP, M_WAITOK);
-	else
-		buf = NULL;
-	error = kern_getfsstat(td, buf, size, UIO_SYSSPACE, flags);
-	if (buf != NULL) {
+	error = kern_getfsstat(td, &buf, size, UIO_SYSSPACE, flags);
+	if (size > 0) {
 		count = td->td_retval[0];
 		sp = buf;
 		while (count > 0 && error == 0) {
author	pjd <pjd@FreeBSD.org>	2005-06-11 14:58:20 +0000
committer	pjd <pjd@FreeBSD.org>	2005-06-11 14:58:20 +0000
commit	be79126844179d84dda297cece04bb6d2462eb03 (patch)
tree	ba08cbe1479ab6475a323dcd20c59c880dafee4d /sys/alpha
parent	e5e29d142df527fb60c2bf5787693048c03ccd91 (diff)
download	FreeBSD-src-be79126844179d84dda297cece04bb6d2462eb03.zip FreeBSD-src-be79126844179d84dda297cece04bb6d2462eb03.tar.gz