diff options
author | kib <kib@FreeBSD.org> | 2008-05-26 10:01:13 +0000 |
---|---|---|
committer | kib <kib@FreeBSD.org> | 2008-05-26 10:01:13 +0000 |
commit | 5941eb261965ba0766bdcb4ed80bbb8efd3f1705 (patch) | |
tree | e5b55007286958936696a3e77c9d6f30118009c6 /sys/kern | |
parent | 449e5df4dce72beb8ccfe1d977d585a96abb2fe2 (diff) | |
download | FreeBSD-src-5941eb261965ba0766bdcb4ed80bbb8efd3f1705.zip FreeBSD-src-5941eb261965ba0766bdcb4ed80bbb8efd3f1705.tar.gz |
Take into account possible overflow when multiplying. The casuality is
the malloc call later, panicing kernel due to the oversized allocation.
Reported by: pho
Reviewed by: jeff
Diffstat (limited to 'sys/kern')
-rw-r--r-- | sys/kern/kern_cpuset.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/kern/kern_cpuset.c b/sys/kern/kern_cpuset.c index 22b6677..1a2495e 100644 --- a/sys/kern/kern_cpuset.c +++ b/sys/kern/kern_cpuset.c @@ -805,7 +805,7 @@ cpuset_getaffinity(struct thread *td, struct cpuset_getaffinity_args *uap) size_t size; if (uap->cpusetsize < sizeof(cpuset_t) || - uap->cpusetsize * NBBY > CPU_MAXSIZE) + uap->cpusetsize > CPU_MAXSIZE / NBBY) return (ERANGE); size = uap->cpusetsize; mask = malloc(size, M_TEMP, M_WAITOK | M_ZERO); @@ -892,7 +892,7 @@ cpuset_setaffinity(struct thread *td, struct cpuset_setaffinity_args *uap) int error; if (uap->cpusetsize < sizeof(cpuset_t) || - uap->cpusetsize * NBBY > CPU_MAXSIZE) + uap->cpusetsize > CPU_MAXSIZE / NBBY) return (ERANGE); mask = malloc(uap->cpusetsize, M_TEMP, M_WAITOK | M_ZERO); error = copyin(uap->mask, mask, uap->cpusetsize); |