Add better sanity checking to the logic that handles ioctl processing

for nfsclient and nfs4client in order to prevent local root users from panicing the system. PR: kern/77463 Submitted by: Wojciech A. Koszek Reviewed by: cel, rees MFC after: 2 weeks Security: Local root users can panic the system at will
author: cel <cel@FreeBSD.org> 2006-05-13 00:16:35 +0000
committer: cel <cel@FreeBSD.org> 2006-05-13 00:16:35 +0000
commit: d46957d5ba4569a5230c34999591a0702f98c812 (patch)
tree: a65145043677ccf29ba1db523a7a6c213063f4f0 /sys/nfs4client
parent: 4bf82b99a793b8083c7ec37b5b66389a6532293c (diff)
download: FreeBSD-src-d46957d5ba4569a5230c34999591a0702f98c812.zip
FreeBSD-src-d46957d5ba4569a5230c34999591a0702f98c812.tar.gz
1 files changed, 7 insertions, 4 deletions
diff --git a/sys/nfs4client/nfs4_dev.c b/sys/nfs4client/nfs4_dev.c
index 7f780a9..35276d3 100644
--- a/sys/nfs4client/nfs4_dev.c
+++ b/sys/nfs4client/nfs4_dev.c
@@ -152,11 +152,12 @@ nfs4dev_reply(caddr_t addr)
 		return EINVAL;
 	}
 
-	if (m->msg_len == 0 || m->msg_len > NFS4DEV_MSG_MAX_DATALEN) {
+	if (m->msg_len < sizeof(*m) - NFS4DEV_MSG_MAX_DATALEN ||
+		m->msg_len > NFS4DEV_MSG_MAX_DATALEN) {
 	  	NFS4DEV_DEBUG("bad message length\n");
 		return EINVAL;
 	}
-	  	
+
 	/* match the reply with a request */
 	mtx_lock(&nfs4dev_waitq_mtx);
 	TAILQ_FOREACH(u, &nfs4dev_waitq, up_entry) {
@@ -197,8 +198,10 @@ found:
 
 	return 0;
 bad:
-	u->up_error = error;
-	wakeup(u);
+	if (u) {
+		u->up_error = error;
+		wakeup(u);
+	}
 	return error;
 }
author	cel <cel@FreeBSD.org>	2006-05-13 00:16:35 +0000
committer	cel <cel@FreeBSD.org>	2006-05-13 00:16:35 +0000
commit	d46957d5ba4569a5230c34999591a0702f98c812 (patch)
tree	a65145043677ccf29ba1db523a7a6c213063f4f0 /sys/nfs4client
parent	4bf82b99a793b8083c7ec37b5b66389a6532293c (diff)
download	FreeBSD-src-d46957d5ba4569a5230c34999591a0702f98c812.zip FreeBSD-src-d46957d5ba4569a5230c34999591a0702f98c812.tar.gz