diff options
author | mux <mux@FreeBSD.org> | 2002-06-22 18:07:05 +0000 |
---|---|---|
committer | mux <mux@FreeBSD.org> | 2002-06-22 18:07:05 +0000 |
commit | 24aca74f2d8f32d095211c58574575b894cf065f (patch) | |
tree | 7cdf750010272d9177228018d75cd78687b9b790 /sys/kern/vfs_extattr.c | |
parent | 173c0403c2c177ab0ed44921e355b997ff2fe0e5 (diff) | |
download | FreeBSD-src-24aca74f2d8f32d095211c58574575b894cf065f.zip FreeBSD-src-24aca74f2d8f32d095211c58574575b894cf065f.tar.gz |
o Remove the initialization of unused fields in the struct
uio now that we don't use uiomove() anymore.
o Enforce stricter checks on the length of the iov's in
nmount(2) since we now malloc() them individually and
corrupted iov's could make the kernel crash in malloc()
with "kmem_map too small".
Reviewed by: phk
Diffstat (limited to 'sys/kern/vfs_extattr.c')
-rw-r--r-- | sys/kern/vfs_extattr.c | 30 |
1 files changed, 5 insertions, 25 deletions
diff --git a/sys/kern/vfs_extattr.c b/sys/kern/vfs_extattr.c index d66417e..7637dcd 100644 --- a/sys/kern/vfs_extattr.c +++ b/sys/kern/vfs_extattr.c @@ -119,7 +119,8 @@ nmount(td, uap) struct uio auio; struct iovec *iov, *needfree; struct iovec aiov[UIO_SMALLIOV]; - long error, i; + unsigned int i; + int error; u_int iovlen, iovcnt; iovcnt = SCARG(uap, iovcnt); @@ -140,19 +141,15 @@ nmount(td, uap) } auio.uio_iov = iov; auio.uio_iovcnt = iovcnt; - auio.uio_rw = UIO_WRITE; auio.uio_segflg = UIO_USERSPACE; - auio.uio_td = td; - auio.uio_offset = 0; - auio.uio_resid = 0; if ((error = copyin((caddr_t)uap->iovp, (caddr_t)iov, iovlen))) goto finish; + for (i = 0; i < iovcnt; i++) { - if (iov->iov_len > INT_MAX - auio.uio_resid) { + if (iov->iov_len > MMAXOPTIONLEN) { error = EINVAL; goto finish; } - auio.uio_resid += iov->iov_len; iov++; } error = vfs_nmount(td, SCARG(uap, flags), &auio); @@ -188,8 +185,7 @@ kernel_mount(iovp, iovcnt, flags) int flags; { struct uio auio; - struct iovec *iov; - int error, i; + int error; /* * Check that we have an even number of iovec's @@ -200,19 +196,7 @@ kernel_mount(iovp, iovcnt, flags) auio.uio_iov = iovp; auio.uio_iovcnt = iovcnt; - auio.uio_rw = UIO_WRITE; auio.uio_segflg = UIO_SYSSPACE; - auio.uio_offset = 0; - auio.uio_td = NULL; - auio.uio_resid = 0; - iov = iovp; - for (i = 0; i < iovcnt; i++) { - if (iov->iov_len > INT_MAX - auio.uio_resid) { - return (EINVAL); - } - auio.uio_resid += iov->iov_len; - iov++; - } error = vfs_nmount(curthread, flags, &auio); return (error); @@ -255,11 +239,7 @@ kernel_vmount(int flags, ...) auio.uio_iov = iovp; auio.uio_iovcnt = iovcnt; - auio.uio_rw = UIO_WRITE; auio.uio_segflg = UIO_SYSSPACE; - auio.uio_offset = 0; - auio.uio_td = NULL; - auio.uio_resid = len; error = vfs_nmount(curthread, flags, &auio); FREE(iovp, M_MOUNT); |