Return controlled EINVAL when the fdescfs lookup routine is given string

representing too large integer, instead of overflowing and possibly returning a random but valid vnode. Noted by: Jilles Tjoelker <jilles stack nl> MFC after: 3 days
author: kib <kib@FreeBSD.org> 2009-05-12 09:22:33 +0000
committer: kib <kib@FreeBSD.org> 2009-05-12 09:22:33 +0000
commit: 02642881c9082d8c3acae80acd2a53a476a9e433 (patch)
tree: 95106d9890e016655c15910089b039c13ac4b18b /sys/fs/fdescfs
parent: 7f344a91eab21a207d31e643c1079cc88802a11e (diff)
download: FreeBSD-src-02642881c9082d8c3acae80acd2a53a476a9e433.zip
FreeBSD-src-02642881c9082d8c3acae80acd2a53a476a9e433.tar.gz
1 files changed, 7 insertions, 2 deletions
diff --git a/sys/fs/fdescfs/fdesc_vnops.c b/sys/fs/fdescfs/fdesc_vnops.c
index 9857d93..4474b17 100644
--- a/sys/fs/fdescfs/fdesc_vnops.c
+++ b/sys/fs/fdescfs/fdesc_vnops.c
@@ -265,7 +265,7 @@ fdesc_lookup(ap)
 	struct thread *td = cnp->cn_thread;
 	struct file *fp;
 	int nlen = cnp->cn_namelen;
-	u_int fd;
+	u_int fd, fd1;
 	int error;
 	struct vnode *fvp;
 
@@ -297,7 +297,12 @@ fdesc_lookup(ap)
 			error = ENOENT;
 			goto bad;
 		}
-		fd = 10 * fd + *pname++ - '0';
+		fd1 = 10 * fd + *pname++ - '0';
+		if (fd1 < fd) {
+			error = ENOENT;
+			goto bad;
+		}
+		fd = fd1;
 	}
 
 	if ((error = fget(td, fd, &fp)) != 0)
author	kib <kib@FreeBSD.org>	2009-05-12 09:22:33 +0000
committer	kib <kib@FreeBSD.org>	2009-05-12 09:22:33 +0000
commit	02642881c9082d8c3acae80acd2a53a476a9e433 (patch)
tree	95106d9890e016655c15910089b039c13ac4b18b /sys/fs/fdescfs
parent	7f344a91eab21a207d31e643c1079cc88802a11e (diff)
download	FreeBSD-src-02642881c9082d8c3acae80acd2a53a476a9e433.zip FreeBSD-src-02642881c9082d8c3acae80acd2a53a476a9e433.tar.gz