From d46957d5ba4569a5230c34999591a0702f98c812 Mon Sep 17 00:00:00 2001
From: cel <cel@FreeBSD.org>
Date: Sat, 13 May 2006 00:16:35 +0000
Subject: Add better sanity checking to the logic that handles ioctl processing
 for nfsclient and nfs4client in order to prevent local root users from
 panicing the system.

PR:		kern/77463
Submitted by:	Wojciech A. Koszek
Reviewed by:	cel, rees
MFC after:	2 weeks
Security:	Local root users can panic the system at will
---
 sys/nfs4client/nfs4_dev.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

(limited to 'sys/nfs4client')

diff --git a/sys/nfs4client/nfs4_dev.c b/sys/nfs4client/nfs4_dev.c
index 7f780a9..35276d3 100644
--- a/sys/nfs4client/nfs4_dev.c
+++ b/sys/nfs4client/nfs4_dev.c
@@ -152,11 +152,12 @@ nfs4dev_reply(caddr_t addr)
 		return EINVAL;
 	}
 
-	if (m->msg_len == 0 || m->msg_len > NFS4DEV_MSG_MAX_DATALEN) {
+	if (m->msg_len < sizeof(*m) - NFS4DEV_MSG_MAX_DATALEN ||
+		m->msg_len > NFS4DEV_MSG_MAX_DATALEN) {
 	  	NFS4DEV_DEBUG("bad message length\n");
 		return EINVAL;
 	}
-	  	
+
 	/* match the reply with a request */
 	mtx_lock(&nfs4dev_waitq_mtx);
 	TAILQ_FOREACH(u, &nfs4dev_waitq, up_entry) {
@@ -197,8 +198,10 @@ found:
 
 	return 0;
 bad:
-	u->up_error = error;
-	wakeup(u);
+	if (u) {
+		u->up_error = error;
+		wakeup(u);
+	}
 	return error;
 }
 
-- 
cgit v1.1