diff options
author | kris <kris@FreeBSD.org> | 2001-09-10 11:28:07 +0000 |
---|---|---|
committer | kris <kris@FreeBSD.org> | 2001-09-10 11:28:07 +0000 |
commit | bd6f9cb9b63e7a70079067566e50b59abc81ce16 (patch) | |
tree | fd84e8d4d01cdc0f4ba330211093170c75b99172 /sys/i4b | |
parent | 335f7eeb6361cc1f5a1fd9251b0f63ef3451f5ba (diff) | |
download | FreeBSD-src-bd6f9cb9b63e7a70079067566e50b59abc81ce16.zip FreeBSD-src-bd6f9cb9b63e7a70079067566e50b59abc81ce16.tar.gz |
Fix some signed/unsigned integer confusion, and add bounds checking of
arguments to some functions.
Obtained from: NetBSD
Reviewed by: peter
MFC after: 2 weeks
Diffstat (limited to 'sys/i4b')
-rw-r--r-- | sys/i4b/include/i4b_ioctl.h | 1 | ||||
-rw-r--r-- | sys/i4b/layer4/i4b_i4bdrv.c | 7 |
2 files changed, 8 insertions, 0 deletions
diff --git a/sys/i4b/include/i4b_ioctl.h b/sys/i4b/include/i4b_ioctl.h index 9b062f1..e71c486 100644 --- a/sys/i4b/include/i4b_ioctl.h +++ b/sys/i4b/include/i4b_ioctl.h @@ -700,6 +700,7 @@ struct isdn_diagnostic_request { int controller; /* controller number */ u_int32_t cmd; /* diagnostic command to execute */ size_t in_param_len; /* length of additional input parameter */ +#define I4B_ACTIVE_DIAGNOSTIC_MAXPARAMLEN 65536 void *in_param; /* optional input parameter */ size_t out_param_len; /* available output space */ void *out_param; /* output data goes here */ diff --git a/sys/i4b/layer4/i4b_i4bdrv.c b/sys/i4b/layer4/i4b_i4bdrv.c index 71c200f..f26adf8 100644 --- a/sys/i4b/layer4/i4b_i4bdrv.c +++ b/sys/i4b/layer4/i4b_i4bdrv.c @@ -859,6 +859,13 @@ download_done: if(req.in_param_len) { + /* XXX arbitrary limit */ + if (req.in_param_len > + I4B_ACTIVE_DIAGNOSTIC_MAXPARAMLEN) { + error = EINVAL; + goto diag_done; + } + req.in_param = malloc(r->in_param_len, M_DEVBUF, M_WAITOK); if(!req.in_param) |