diff options
author | nectar <nectar@FreeBSD.org> | 2003-10-02 15:00:55 +0000 |
---|---|---|
committer | nectar <nectar@FreeBSD.org> | 2003-10-02 15:00:55 +0000 |
commit | 1857c0891b674258c28f179aeb7ac8084e6332af (patch) | |
tree | 68412e3bf4d1659ce2d53448d555682b65c6edae /sys/fs/procfs/procfs_dbregs.c | |
parent | 5dd11b6b7abea284ab69bc7728805be21c1bf67e (diff) | |
download | FreeBSD-src-1857c0891b674258c28f179aeb7ac8084e6332af.zip FreeBSD-src-1857c0891b674258c28f179aeb7ac8084e6332af.tar.gz |
Introduce a uiomove_frombuf helper routine that handles computing and
validating the offset within a given memory buffer before handing the
real work off to uiomove(9).
Use uiomove_frombuf in procfs to correct several issues with
integer arithmetic that could result in underflows/overflows. As a
side-effect, the code is significantly simplified.
Add additional sanity checks when computing a memory allocation size
in pfs_read.
Submitted by: rwatson (original uiomove_frombuf -- bugs are mine :-)
Reported by: Joost Pol <joost@pine.nl> (integer underflows/overflows)
Diffstat (limited to 'sys/fs/procfs/procfs_dbregs.c')
-rw-r--r-- | sys/fs/procfs/procfs_dbregs.c | 18 |
1 files changed, 3 insertions, 15 deletions
diff --git a/sys/fs/procfs/procfs_dbregs.c b/sys/fs/procfs/procfs_dbregs.c index ae6e794..7ea4b91 100644 --- a/sys/fs/procfs/procfs_dbregs.c +++ b/sys/fs/procfs/procfs_dbregs.c @@ -65,31 +65,19 @@ procfs_doprocdbregs(PFS_FILL_ARGS) { int error; struct dbreg r; - char *kv; - int kl; PROC_LOCK(p); if (p_candebug(td, p) != 0) { PROC_UNLOCK(p); return (EPERM); } - kl = sizeof(r); - kv = (char *) &r; - - kv += uio->uio_offset; - kl -= uio->uio_offset; - if (kl > uio->uio_resid) - kl = uio->uio_resid; _PHOLD(p); - if (kl < 0) - error = EINVAL; - else - /* XXXKSE: */ - error = proc_read_dbregs(FIRST_THREAD_IN_PROC(p), &r); + /* XXXKSE: */ + error = proc_read_dbregs(FIRST_THREAD_IN_PROC(p), &r); if (error == 0) { PROC_UNLOCK(p); - error = uiomove(kv, kl, uio); + error = uiomove_frombuf(&r, sizeof(r), uio); PROC_LOCK(p); } if (error == 0 && uio->uio_rw == UIO_WRITE) { |