diff options
author | cel <cel@FreeBSD.org> | 2006-05-13 00:16:35 +0000 |
---|---|---|
committer | cel <cel@FreeBSD.org> | 2006-05-13 00:16:35 +0000 |
commit | d46957d5ba4569a5230c34999591a0702f98c812 (patch) | |
tree | a65145043677ccf29ba1db523a7a6c213063f4f0 /sys | |
parent | 4bf82b99a793b8083c7ec37b5b66389a6532293c (diff) | |
download | FreeBSD-src-d46957d5ba4569a5230c34999591a0702f98c812.zip FreeBSD-src-d46957d5ba4569a5230c34999591a0702f98c812.tar.gz |
Add better sanity checking to the logic that handles ioctl processing
for nfsclient and nfs4client in order to prevent local root users
from panicing the system.
PR: kern/77463
Submitted by: Wojciech A. Koszek
Reviewed by: cel, rees
MFC after: 2 weeks
Security: Local root users can panic the system at will
Diffstat (limited to 'sys')
-rw-r--r-- | sys/nfs4client/nfs4_dev.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/sys/nfs4client/nfs4_dev.c b/sys/nfs4client/nfs4_dev.c index 7f780a9..35276d3 100644 --- a/sys/nfs4client/nfs4_dev.c +++ b/sys/nfs4client/nfs4_dev.c @@ -152,11 +152,12 @@ nfs4dev_reply(caddr_t addr) return EINVAL; } - if (m->msg_len == 0 || m->msg_len > NFS4DEV_MSG_MAX_DATALEN) { + if (m->msg_len < sizeof(*m) - NFS4DEV_MSG_MAX_DATALEN || + m->msg_len > NFS4DEV_MSG_MAX_DATALEN) { NFS4DEV_DEBUG("bad message length\n"); return EINVAL; } - + /* match the reply with a request */ mtx_lock(&nfs4dev_waitq_mtx); TAILQ_FOREACH(u, &nfs4dev_waitq, up_entry) { @@ -197,8 +198,10 @@ found: return 0; bad: - u->up_error = error; - wakeup(u); + if (u) { + u->up_error = error; + wakeup(u); + } return error; } |