svn commit: r213704 - head/sys/dev/mps
Matthew D Fleming
mdf at FreeBSD.org
Mon Oct 11 21:38:32 UTC 2010
Author: mdf
Date: Mon Oct 11 21:38:31 2010
New Revision: 213704
URL: http://svn.freebsd.org/changeset/base/213704
Log:
Fix a memory leak and locking inconsistency in mps(4) ioctl handling.
Check copyin(9) for error and sanity check the length before copyin.
Reviewed by: ken
Modified:
head/sys/dev/mps/mps_user.c
Modified: head/sys/dev/mps/mps_user.c
==============================================================================
--- head/sys/dev/mps/mps_user.c Mon Oct 11 21:34:35 2010 (r213703)
+++ head/sys/dev/mps/mps_user.c Mon Oct 11 21:38:31 2010 (r213704)
@@ -343,7 +343,7 @@ mps_user_command(struct mps_softc *sc, s
MPI2_REQUEST_HEADER *hdr;
MPI2_DEFAULT_REPLY *rpl;
MPI2_SGE_IO_UNION *sgl;
- void *buf;
+ void *buf = NULL;
struct mps_command *cm;
int err = 0;
int sz;
@@ -363,7 +363,13 @@ mps_user_command(struct mps_softc *sc, s
mps_dprint(sc, MPS_INFO, "mps_user_command: req %p %d rpl %p %d\n",
cmd->req, cmd->req_len, cmd->rpl, cmd->rpl_len );
- copyin(cmd->req, hdr, cmd->req_len);
+ if (cmd->req_len > (int)sc->facts->IOCRequestFrameSize * 4) {
+ err = EINVAL;
+ goto RetFreeUnlocked;
+ }
+ err = copyin(cmd->req, hdr, cmd->req_len);
+ if (err != 0)
+ goto RetFreeUnlocked;
mps_dprint(sc, MPS_INFO, "mps_user_command: Function %02X "
"MsgFlags %02X\n", hdr->Function, hdr->MsgFlags );
@@ -372,7 +378,7 @@ mps_user_command(struct mps_softc *sc, s
if (err != 0) {
mps_printf(sc, "mps_user_command: unsupported function 0x%X\n",
hdr->Function );
- goto RetFree;
+ goto RetFreeUnlocked;
}
if (cmd->len > 0) {
@@ -380,7 +386,6 @@ mps_user_command(struct mps_softc *sc, s
cm->cm_data = buf;
cm->cm_length = cmd->len;
} else {
- buf = NULL;
cm->cm_data = NULL;
cm->cm_length = 0;
}
@@ -412,20 +417,27 @@ mps_user_command(struct mps_softc *sc, s
mps_unlock(sc);
copyout(rpl, cmd->rpl, sz);
- if (buf != NULL) {
+ if (buf != NULL)
copyout(buf, cmd->buf, cmd->len);
- free(buf, M_MPSUSER);
- }
mps_lock(sc);
mps_dprint(sc, MPS_INFO, "mps_user_command: reply size %d\n", sz );
-RetFree:
mps_free_command(sc, cm);
-
Ret:
mps_unlock(sc);
- return err;
+ if (buf != NULL)
+ free(buf, M_MPSUSER);
+ return (err);
+
+RetFreeUnlocked:
+ mps_lock(sc);
+ mps_free_command(sc, cm);
+ mps_unlock(sc);
+
+ if (buf != NULL)
+ free(buf, M_MPSUSER);
+ return (err);
}
static int
More information about the svn-src-head
mailing list