svn commit: r192140 - in stable/7/sys: . contrib/pf dev/ath/ath_hal dev/cxgb fs/fdescfs

Konstantin Belousov kib at FreeBSD.org
Fri May 15 10:45:53 UTC 2009


Author: kib
Date: Fri May 15 10:45:52 2009
New Revision: 192140
URL: http://svn.freebsd.org/changeset/base/192140

Log:
  MFC r192012:
  Return controlled EINVAL when the fdescfs lookup routine is given string
  representing too large integer, instead of overflowing and possibly
  returning a random but valid vnode.

Modified:
  stable/7/sys/   (props changed)
  stable/7/sys/contrib/pf/   (props changed)
  stable/7/sys/dev/ath/ath_hal/   (props changed)
  stable/7/sys/dev/cxgb/   (props changed)
  stable/7/sys/fs/fdescfs/fdesc_vnops.c

Modified: stable/7/sys/fs/fdescfs/fdesc_vnops.c
==============================================================================
--- stable/7/sys/fs/fdescfs/fdesc_vnops.c	Fri May 15 10:11:54 2009	(r192139)
+++ stable/7/sys/fs/fdescfs/fdesc_vnops.c	Fri May 15 10:45:52 2009	(r192140)
@@ -264,7 +264,7 @@ fdesc_lookup(ap)
 	struct thread *td = cnp->cn_thread;
 	struct file *fp;
 	int nlen = cnp->cn_namelen;
-	u_int fd;
+	u_int fd, fd1;
 	int error;
 	struct vnode *fvp;
 
@@ -296,7 +296,12 @@ fdesc_lookup(ap)
 			error = ENOENT;
 			goto bad;
 		}
-		fd = 10 * fd + *pname++ - '0';
+		fd1 = 10 * fd + *pname++ - '0';
+		if (fd1 < fd) {
+			error = ENOENT;
+			goto bad;
+		}
+		fd = fd1;
 	}
 
 	if ((error = fget(td, fd, &fp)) != 0)


More information about the svn-src-stable-7 mailing list