svn commit: r308250 - head/sys/cam/ctl

Edward Tomasz Napierala trasz at FreeBSD.org
Thu Nov 3 10:12:01 UTC 2016 

Author: trasz
Date: Thu Nov  3 10:11:59 2016
New Revision: 308250
URL: https://svnweb.freebsd.org/changeset/base/308250

Log:
  Check for lengths being <= 0.  Note that this interface can only
  be accessed by root.  It uses unsigned ints instead of size_t
  to preserve the ABI.
  
  PR:		207627
  Submitted by:	ryan at ryanday.net (with slight tweaks)
  MFC after:	1 month

Modified:
  head/sys/cam/ctl/ctl.c
  head/sys/cam/ctl/ctl_ioctl.h

Modified: head/sys/cam/ctl/ctl.c
==============================================================================
--- head/sys/cam/ctl/ctl.c	Thu Nov  3 09:51:25 2016	(r308249)
+++ head/sys/cam/ctl/ctl.c	Thu Nov  3 10:11:59 2016	(r308250)
@@ -2370,7 +2370,7 @@ ctl_ioctl_fill_ooa(struct ctl_lun *lun, 
 }
 
 static void *
-ctl_copyin_alloc(void *user_addr, int len, char *error_str,
+ctl_copyin_alloc(void *user_addr, unsigned int len, char *error_str,
 		 size_t error_str_len)
 {
 	void *kptr;
@@ -2425,6 +2425,12 @@ ctl_copyin_args(int num_args, struct ctl
 	for (i = 0; i < num_args; i++) {
 		uint8_t *tmpptr;
 
+		if (args[i].namelen == 0) {
+			snprintf(error_str, error_str_len, "Argument %d "
+				 "name length is zero", i);
+			goto bailout;
+		}
+
 		args[i].kname = ctl_copyin_alloc(args[i].name,
 			args[i].namelen, error_str, error_str_len);
 		if (args[i].kname == NULL)
@@ -2437,10 +2443,17 @@ ctl_copyin_args(int num_args, struct ctl
 		}
 
 		if (args[i].flags & CTL_BEARG_RD) {
+			if (args[i].vallen == 0) {
+				snprintf(error_str, error_str_len, "Argument %d "
+					 "value length is zero", i);
+				goto bailout;
+			}
+
 			tmpptr = ctl_copyin_alloc(args[i].value,
 				args[i].vallen, error_str, error_str_len);
 			if (tmpptr == NULL)
 				goto bailout;
+
 			if ((args[i].flags & CTL_BEARG_ASCII)
 			 && (tmpptr[args[i].vallen - 1] != '\0')) {
 				snprintf(error_str, error_str_len, "Argument "

Modified: head/sys/cam/ctl/ctl_ioctl.h
==============================================================================
--- head/sys/cam/ctl/ctl_ioctl.h	Thu Nov  3 09:51:25 2016	(r308249)
+++ head/sys/cam/ctl/ctl_ioctl.h	Thu Nov  3 10:11:59 2016	(r308250)
@@ -317,20 +317,20 @@ typedef enum {
  *
  * flags:	Flags for the parameter, see above for values.
  *
- * vallen:	Length of the value in bytes.
+ * vallen:	Length of the value in bytes, including the terminating NUL.
  *
- * value:	Value to be set/fetched.
+ * value:	Value to be set/fetched. This must be NUL-terminated.
  *
  * kname:	For kernel use only.
  *
  * kvalue:	For kernel use only.
  */
 struct ctl_be_arg {
-	int	namelen;
-	char	*name;
-	int	flags;
-	int	vallen;
-	void	*value;
+	unsigned int	namelen;
+	char		*name;
+	int		flags;
+	unsigned int	vallen;
+	void		*value;
 
 	char	*kname;
 	void	*kvalue;

More information about the svn-src-all mailing list