Prevent integer overflow in direct pipe write code from circumventing

virtual-to-physical page lookups. [09:09] Add missing permissions check for SIOCSIFINFO_IN6 ioctl. [09:10] Fix buffer overflow in "autokey" negotiation in ntpd(8). [09:11] Approved by: so (cperciva) Approved by: re (not really, but SVN wants this...) Security: FreeBSD-SA-09:09.pipe Security: FreeBSD-SA-09:10.ipv6 Security: FreeBSD-SA-09:11.ntpd
author: cperciva <cperciva@FreeBSD.org> 2009-06-10 10:31:11 +0000
committer: cperciva <cperciva@FreeBSD.org> 2009-06-10 10:31:11 +0000
commit: 632fa4557466f1f20190899b29b3863089eb768f (patch)
tree: 5b29aae21aa521fce02ec60561dcdae1bcd23364 /sys/kern/sys_pipe.c
parent: 4cc0c5560a490046b2793a2d965825fe6446d508 (diff)
download: FreeBSD-src-632fa4557466f1f20190899b29b3863089eb768f.zip
FreeBSD-src-632fa4557466f1f20190899b29b3863089eb768f.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/sys/kern/sys_pipe.c b/sys/kern/sys_pipe.c
index ed48e54..f4adfcb 100644
--- a/sys/kern/sys_pipe.c
+++ b/sys/kern/sys_pipe.c
@@ -759,6 +759,8 @@ pipe_build_write_buffer(wpipe, uio)
 	pmap = vmspace_pmap(curproc->p_vmspace);
 	endaddr = round_page((vm_offset_t)uio->uio_iov->iov_base + size);
 	addr = trunc_page((vm_offset_t)uio->uio_iov->iov_base);
+	if (endaddr < addr)
+		return (EFAULT);
 	for (i = 0; addr < endaddr; addr += PAGE_SIZE, i++) {
 		/*
 		 * vm_fault_quick() can sleep.  Consequently,
author	cperciva <cperciva@FreeBSD.org>	2009-06-10 10:31:11 +0000
committer	cperciva <cperciva@FreeBSD.org>	2009-06-10 10:31:11 +0000
commit	632fa4557466f1f20190899b29b3863089eb768f (patch)
tree	5b29aae21aa521fce02ec60561dcdae1bcd23364 /sys/kern/sys_pipe.c
parent	4cc0c5560a490046b2793a2d965825fe6446d508 (diff)
download	FreeBSD-src-632fa4557466f1f20190899b29b3863089eb768f.zip FreeBSD-src-632fa4557466f1f20190899b29b3863089eb768f.tar.gz