svn commit: r192012 - head/sys/fs/fdescfs
Konstantin Belousov
kib at FreeBSD.org
Tue May 12 09:22:34 UTC 2009
Author: kib
Date: Tue May 12 09:22:33 2009
New Revision: 192012
URL: http://svn.freebsd.org/changeset/base/192012
Log:
Return controlled EINVAL when the fdescfs lookup routine is given string
representing too large integer, instead of overflowing and possibly
returning a random but valid vnode.
Noted by: Jilles Tjoelker <jilles stack nl>
MFC after: 3 days
Modified:
head/sys/fs/fdescfs/fdesc_vnops.c
Modified: head/sys/fs/fdescfs/fdesc_vnops.c
==============================================================================
--- head/sys/fs/fdescfs/fdesc_vnops.c Tue May 12 07:41:20 2009 (r192011)
+++ head/sys/fs/fdescfs/fdesc_vnops.c Tue May 12 09:22:33 2009 (r192012)
@@ -265,7 +265,7 @@ fdesc_lookup(ap)
struct thread *td = cnp->cn_thread;
struct file *fp;
int nlen = cnp->cn_namelen;
- u_int fd;
+ u_int fd, fd1;
int error;
struct vnode *fvp;
@@ -297,7 +297,12 @@ fdesc_lookup(ap)
error = ENOENT;
goto bad;
}
- fd = 10 * fd + *pname++ - '0';
+ fd1 = 10 * fd + *pname++ - '0';
+ if (fd1 < fd) {
+ error = ENOENT;
+ goto bad;
+ }
+ fd = fd1;
}
if ((error = fget(td, fd, &fp)) != 0)
More information about the svn-src-all
mailing list