diff options
author | glebius <glebius@FreeBSD.org> | 2012-01-26 11:59:48 +0000 |
---|---|---|
committer | glebius <glebius@FreeBSD.org> | 2012-01-26 11:59:48 +0000 |
commit | 7900947bc5753da4e1cd11c973f438b5b58721ea (patch) | |
tree | da21e38138b7c4f0da32f18d3d36b6a3b2184b42 /sys/kern/vfs_aio.c | |
parent | f84b253d0e86e1ff545be806ad5e2cf702917b93 (diff) | |
download | FreeBSD-src-7900947bc5753da4e1cd11c973f438b5b58721ea.zip FreeBSD-src-7900947bc5753da4e1cd11c973f438b5b58721ea.tar.gz |
Although aio_nbytes is size_t, later is is signed to
casted types: to ssize_t in filesystem code and to
int in buf code, thus supplying a negative argument
leads to kernel panic later. To fix that check user
supplied argument in the beginning of syscall.
Submitted by: Maxim Dounin <mdounin mdounin.ru>, maxim@
Diffstat (limited to 'sys/kern/vfs_aio.c')
-rw-r--r-- | sys/kern/vfs_aio.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/sys/kern/vfs_aio.c b/sys/kern/vfs_aio.c index 7af9f55..fe682d8 100644 --- a/sys/kern/vfs_aio.c +++ b/sys/kern/vfs_aio.c @@ -1552,6 +1552,12 @@ aio_aqueue(struct thread *td, struct aiocb *job, struct aioliojob *lj, return (error); } + /* XXX: aio_nbytes is later casted to signed types. */ + if ((int)aiocbe->uaiocb.aio_nbytes < 0) { + uma_zfree(aiocb_zone, aiocbe); + return (EINVAL); + } + if (aiocbe->uaiocb.aio_sigevent.sigev_notify != SIGEV_KEVENT && aiocbe->uaiocb.aio_sigevent.sigev_notify != SIGEV_SIGNAL && aiocbe->uaiocb.aio_sigevent.sigev_notify != SIGEV_THREAD_ID && |