Limit IOCATAREQUEST ioctl data size to controller's maximum I/O size.

It fixes kernel panic when requested size is too large (0xffffffff), PR: kern/136726 Approved by: re (kib) MFC after: 2 weeks
author: mav <mav@FreeBSD.org> 2009-07-16 19:48:39 +0000
committer: mav <mav@FreeBSD.org> 2009-07-16 19:48:39 +0000
commit: d2202065d565efbe0f640ffbfe6c3fba617cf3d0 (patch)
tree: 4f85b933808bed917d808d318cbba7cb1efa76a4 /sys/dev
parent: 86904ca4632461c015b501d0a757251cd3677b40 (diff)
download: FreeBSD-src-d2202065d565efbe0f640ffbfe6c3fba617cf3d0.zip
FreeBSD-src-d2202065d565efbe0f640ffbfe6c3fba617cf3d0.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/sys/dev/ata/ata-all.c b/sys/dev/ata/ata-all.c
index 4530767..383060c 100644
--- a/sys/dev/ata/ata-all.c
+++ b/sys/dev/ata/ata-all.c
@@ -472,6 +472,7 @@ int
 ata_device_ioctl(device_t dev, u_long cmd, caddr_t data)
 {
     struct ata_device *atadev = device_get_softc(dev);
+    struct ata_channel *ch = device_get_softc(device_get_parent(dev));
     struct ata_ioc_request *ioc_request = (struct ata_ioc_request *)data;
     struct ata_params *params = (struct ata_params *)data;
     int *mode = (int *)data;
@@ -481,6 +482,10 @@ ata_device_ioctl(device_t dev, u_long cmd, caddr_t data)
 
     switch (cmd) {
     case IOCATAREQUEST:
+	if (ioc_request->count >
+	    (ch->dma.max_iosize ? ch->dma.max_iosize : DFLTPHYS)) {
+		return (EFBIG);
+	}
 	if (!(buf = malloc(ioc_request->count, M_ATA, M_NOWAIT))) {
 	    return ENOMEM;
 	}
author	mav <mav@FreeBSD.org>	2009-07-16 19:48:39 +0000
committer	mav <mav@FreeBSD.org>	2009-07-16 19:48:39 +0000
commit	d2202065d565efbe0f640ffbfe6c3fba617cf3d0 (patch)
tree	4f85b933808bed917d808d318cbba7cb1efa76a4 /sys/dev
parent	86904ca4632461c015b501d0a757251cd3677b40 (diff)
download	FreeBSD-src-d2202065d565efbe0f640ffbfe6c3fba617cf3d0.zip FreeBSD-src-d2202065d565efbe0f640ffbfe6c3fba617cf3d0.tar.gz