svn commit: r328315 - head/sys/dev/cxgb
Navdeep Parhar
np at FreeBSD.org
Wed Jan 24 05:16:12 UTC 2018
Author: np
Date: Wed Jan 24 05:16:11 2018
New Revision: 328315
URL: https://svnweb.freebsd.org/changeset/base/328315
Log:
cxgb(4): Validate offset/len in the GET_EEPROM ioctl.
Reported by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Modified:
head/sys/dev/cxgb/cxgb_main.c
Modified: head/sys/dev/cxgb/cxgb_main.c
==============================================================================
--- head/sys/dev/cxgb/cxgb_main.c Wed Jan 24 05:09:21 2018 (r328314)
+++ head/sys/dev/cxgb/cxgb_main.c Wed Jan 24 05:16:11 2018 (r328315)
@@ -2958,8 +2958,14 @@ cxgb_extension_ioctl(struct cdev *dev, unsigned long c
case CHELSIO_GET_EEPROM: {
int i;
struct ch_eeprom *e = (struct ch_eeprom *)data;
- uint8_t *buf = malloc(EEPROMSIZE, M_DEVBUF, M_NOWAIT);
+ uint8_t *buf;
+ if (e->offset & 3 || e->offset >= EEPROMSIZE ||
+ e->len > EEPROMSIZE || e->offset + e->len > EEPROMSIZE) {
+ return (EINVAL);
+ }
+
+ buf = malloc(EEPROMSIZE, M_DEVBUF, M_NOWAIT);
if (buf == NULL) {
return (ENOMEM);
}
More information about the svn-src-all
mailing list