diff options
author | kib <kib@FreeBSD.org> | 2009-05-12 09:22:33 +0000 |
---|---|---|
committer | kib <kib@FreeBSD.org> | 2009-05-12 09:22:33 +0000 |
commit | 02642881c9082d8c3acae80acd2a53a476a9e433 (patch) | |
tree | 95106d9890e016655c15910089b039c13ac4b18b /sys/fs/fdescfs | |
parent | 7f344a91eab21a207d31e643c1079cc88802a11e (diff) | |
download | FreeBSD-src-02642881c9082d8c3acae80acd2a53a476a9e433.zip FreeBSD-src-02642881c9082d8c3acae80acd2a53a476a9e433.tar.gz |
Return controlled EINVAL when the fdescfs lookup routine is given string
representing too large integer, instead of overflowing and possibly
returning a random but valid vnode.
Noted by: Jilles Tjoelker <jilles stack nl>
MFC after: 3 days
Diffstat (limited to 'sys/fs/fdescfs')
-rw-r--r-- | sys/fs/fdescfs/fdesc_vnops.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/sys/fs/fdescfs/fdesc_vnops.c b/sys/fs/fdescfs/fdesc_vnops.c index 9857d93..4474b17 100644 --- a/sys/fs/fdescfs/fdesc_vnops.c +++ b/sys/fs/fdescfs/fdesc_vnops.c @@ -265,7 +265,7 @@ fdesc_lookup(ap) struct thread *td = cnp->cn_thread; struct file *fp; int nlen = cnp->cn_namelen; - u_int fd; + u_int fd, fd1; int error; struct vnode *fvp; @@ -297,7 +297,12 @@ fdesc_lookup(ap) error = ENOENT; goto bad; } - fd = 10 * fd + *pname++ - '0'; + fd1 = 10 * fd + *pname++ - '0'; + if (fd1 < fd) { + error = ENOENT; + goto bad; + } + fd = fd1; } if ((error = fget(td, fd, &fp)) != 0) |