Properly sanity-check the old msgbuf structure before we accept it

as being valid. Previously only the magic number and the virtual
address were checked, but it makes little sense to require that
the virtual address is the same (the message buffer is located at
the end of physical memory), and checks on the msg_bufx and msg_bufr
indices were missing.

Submitted by:	Bodo Rueskamp <br@clabsms.de>
Tripped over during a kernel debugging tutorial given by: grog
Reviewed by:	grog, dwmalone
MFC after:	1 week

1 files changed, 6 insertions, 3 deletions

diff --git a/sys/kern/subr_prf.c b/sys/kern/subr_prf.c
index 8708704..5e2d310 100644
--- a/sys/kern/subr_prf.c
+++ b/sys/kern/subr_prf.c
@@ -802,14 +802,17 @@ msgbufinit(void *ptr, size_t size)
 	char *cp;
 	static struct msgbuf *oldp = NULL;
 
+	size -= sizeof(*msgbufp);
 	cp = (char *)ptr;
-	msgbufp = (struct msgbuf *) (cp + size - sizeof(*msgbufp));
-	if (msgbufp->msg_magic != MSG_MAGIC || msgbufp->msg_ptr != cp) {
+	msgbufp = (struct msgbuf *) (cp + size);
+	if (msgbufp->msg_magic != MSG_MAGIC || msgbufp->msg_size != size ||
+	    msgbufp->msg_bufx >= size || msgbufp->msg_bufr >= size) {
 		bzero(cp, size);
+		bzero(msgbufp, sizeof(*msgbufp));
 		msgbufp->msg_magic = MSG_MAGIC;
 		msgbufp->msg_size = (char *)msgbufp - cp;
-		msgbufp->msg_ptr = cp;
 	}
+	msgbufp->msg_ptr = cp;
 	if (msgbufmapped && oldp != msgbufp)
 		msgbufcopy(oldp);
 	msgbufmapped = 1;