diff options
author | hselasky <hselasky@FreeBSD.org> | 2014-10-30 08:04:48 +0000 |
---|---|---|
committer | hselasky <hselasky@FreeBSD.org> | 2014-10-30 08:04:48 +0000 |
commit | 1d17f744c7fc351c6163d4e1a9862bef78a632d5 (patch) | |
tree | b10daf90a34256f49336c4827661577d2b1339d3 /sys/dev/acpica | |
parent | 2b4fb093044897c573e0f1cfe28d235e8c83db08 (diff) | |
download | FreeBSD-src-1d17f744c7fc351c6163d4e1a9862bef78a632d5.zip FreeBSD-src-1d17f744c7fc351c6163d4e1a9862bef78a632d5.tar.gz |
MFC r273733, r273740 and r273773:
The SYSCTL data pointers can come from userspace and must not be
directly accessed. Although this will work on some platforms, it can
throw an exception if the pointer is invalid and then panic the kernel.
Add a missing SYSCTL_IN() of "SCTP_BASE_STATS" structure.
Sponsored by: Mellanox Technologies
Diffstat (limited to 'sys/dev/acpica')
-rw-r--r-- | sys/dev/acpica/acpi.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/sys/dev/acpica/acpi.c b/sys/dev/acpica/acpi.c index 315686b..2bf04c5 100644 --- a/sys/dev/acpica/acpi.c +++ b/sys/dev/acpica/acpi.c @@ -3748,6 +3748,7 @@ acpi_debug_sysctl(SYSCTL_HANDLER_ARGS) int error, *dbg; struct debugtag *tag; struct sbuf sb; + char temp[128]; if (sbuf_new(&sb, NULL, 128, SBUF_AUTOEXTEND) == NULL) return (ENOMEM); @@ -3771,15 +3772,15 @@ acpi_debug_sysctl(SYSCTL_HANDLER_ARGS) } sbuf_trim(&sb); sbuf_finish(&sb); - - /* Copy out the old values to the user. */ - error = SYSCTL_OUT(req, sbuf_data(&sb), sbuf_len(&sb)); + strlcpy(temp, sbuf_data(&sb), sizeof(temp)); sbuf_delete(&sb); - /* If the user is setting a string, parse it. */ + error = sysctl_handle_string(oidp, temp, sizeof(temp), req); + + /* Check for error or no change */ if (error == 0 && req->newptr != NULL) { *dbg = 0; - setenv((char *)oidp->oid_arg1, (char *)req->newptr); + setenv((char *)oidp->oid_arg1, temp); acpi_set_debugging(NULL); } ACPI_SERIAL_END(acpi); |