From be79126844179d84dda297cece04bb6d2462eb03 Mon Sep 17 00:00:00 2001 From: pjd Date: Sat, 11 Jun 2005 14:58:20 +0000 Subject: Do not allocate memory based on not-checked argument from userland. It can be used to panic the kernel by giving too big value. Fix it by moving allocation and size verification into kern_getfsstat(). This even simplifies kern_getfsstat() consumers, but destroys symmetry - memory is allocated inside kern_getfsstat(), but has to be freed by the caller. Found by: FreeBSD Kernel Stress Test Suite: http://www.holm.cc/stress/ Reported by: Peter Holm --- sys/alpha/osf1/osf1_mount.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) (limited to 'sys/alpha') diff --git a/sys/alpha/osf1/osf1_mount.c b/sys/alpha/osf1/osf1_mount.c index 05c91ff..d0ef281 100644 --- a/sys/alpha/osf1/osf1_mount.c +++ b/sys/alpha/osf1/osf1_mount.c @@ -170,12 +170,8 @@ osf1_getfsstat(td, uap) count = uap->bufsize / sizeof(struct osf1_statfs); size = count * sizeof(struct statfs); - if (size > 0) - buf = malloc(size, M_TEMP, M_WAITOK); - else - buf = NULL; - error = kern_getfsstat(td, buf, size, UIO_SYSSPACE, flags); - if (buf != NULL) { + error = kern_getfsstat(td, &buf, size, UIO_SYSSPACE, flags); + if (size > 0) { count = td->td_retval[0]; sp = buf; while (count > 0 && error == 0) { -- cgit v1.1