svn commit: r298231 - head/sys/dev/hptmv
Sean Bruno
sbruno at FreeBSD.org
Mon Apr 18 23:26:12 UTC 2016
Author: sbruno
Date: Mon Apr 18 23:26:11 2016
New Revision: 298231
URL: https://svnweb.freebsd.org/changeset/base/298231
Log:
hptmv(4) Fix potential buffer overflow in hpt_set_info.
While here, adjust some whitespace and yeild some useful debug info.
This is untested on this hardware, testing requests to -scsi went
unanswered.
PR: 206585
Submitted by: cturt at hardenedbsd.org
MFC after: 2 weeks
Modified:
head/sys/dev/hptmv/hptproc.c
Modified: head/sys/dev/hptmv/hptproc.c
==============================================================================
--- head/sys/dev/hptmv/hptproc.c Mon Apr 18 23:09:22 2016 (r298230)
+++ head/sys/dev/hptmv/hptproc.c Mon Apr 18 23:26:11 2016 (r298231)
@@ -308,7 +308,9 @@ hpt_set_info(int length)
/*
* map buffer to kernel.
*/
- if (piop->nInBufferSize+piop->nOutBufferSize > PAGE_SIZE) {
+ if (piop->nInBufferSize > PAGE_SIZE ||
+ piop->nOutBufferSize > PAGE_SIZE ||
+ piop->nInBufferSize+piop->nOutBufferSize > PAGE_SIZE) {
KdPrintE(("User buffer too large\n"));
return -EINVAL;
}
@@ -319,8 +321,13 @@ hpt_set_info(int length)
return -EINVAL;
}
- if (piop->nInBufferSize)
- copyin((void*)(ULONG_PTR)piop->lpInBuffer, ke_area, piop->nInBufferSize);
+ if (piop->nInBufferSize) {
+ if (copyin((void*)(ULONG_PTR)piop->lpInBuffer, ke_area, piop->nInBufferSize) != 0) {
+ KdPrintE(("Failed to copyin from lpInBuffer\n"));
+ free(ke_area, M_DEVBUF);
+ return -EFAULT;
+ }
+ }
/*
* call kernel handler.
@@ -342,7 +349,7 @@ hpt_set_info(int length)
else KdPrintW(("Kernel_ioctl(): return %d\n", err));
free(ke_area, M_DEVBUF);
- return -EINVAL;
+ return -EINVAL;
} else {
KdPrintW(("Wrong signature: %x\n", piop->Magic));
return -EINVAL;
More information about the svn-src-all
mailing list