diff options
author | marius <marius@FreeBSD.org> | 2007-12-20 00:31:04 +0000 |
---|---|---|
committer | marius <marius@FreeBSD.org> | 2007-12-20 00:31:04 +0000 |
commit | 2b9c38a67ac6679c2b23cb5b16ab578f23479bc6 (patch) | |
tree | 62092006999b85febc58bb57199fa7ee35f3c6f8 /sys/dev/ofw | |
parent | 662b60ede0958eba43cf93ce0088001b0d67de8c (diff) | |
download | FreeBSD-src-2b9c38a67ac6679c2b23cb5b16ab578f23479bc6.zip FreeBSD-src-2b9c38a67ac6679c2b23cb5b16ab578f23479bc6.tar.gz |
In openprom_ioctl() ensure appropriate permissions and that data isn't
NULL and doesn't point to a NULL pointer before dereferencing it. This
fixes a panic triggered by Xorg 7.3.
Reported and tested by: Bill Green
MFC after: 3 days
Diffstat (limited to 'sys/dev/ofw')
-rw-r--r-- | sys/dev/ofw/openpromio.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/sys/dev/ofw/openpromio.c b/sys/dev/ofw/openpromio.c index ca6aba7..cb7343f 100644 --- a/sys/dev/ofw/openpromio.c +++ b/sys/dev/ofw/openpromio.c @@ -101,12 +101,17 @@ openprom_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flags, char *buf; int error; + if ((flags & FREAD) == 0) + return (EPERM); + prop = buf = NULL; error = 0; - oprom = *(void **)data; switch (cmd) { case OPROMCHILD: case OPROMNEXT: + if (data == NULL || *(void **)data == NULL) + return (EINVAL); + oprom = *(void **)data; error = copyin(&oprom->oprom_size, &len, sizeof(len)); if (error != 0) break; @@ -135,6 +140,9 @@ openprom_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flags, break; case OPROMGETPROP: case OPROMNXTPROP: + if (data == NULL || *(void **)data == NULL) + return (EINVAL); + oprom = *(void **)data; error = copyin(&oprom->oprom_size, &len, sizeof(len)); if (error != 0) break; |