svn commit: r350903 - stable/12/sys/fs/nandfs
Ed Maste
emaste at FreeBSD.org
Mon Aug 12 17:25:33 UTC 2019
Author: emaste
Date: Mon Aug 12 17:25:32 2019
New Revision: 350903
URL: https://svnweb.freebsd.org/changeset/base/350903
Log:
nandfs: avoid integer overflow in nandfs_get_dat_bdescs_ioctl
nandfs was removed in head in r349352 and in any case was not built by
default, but address the potential integer overflow in case someone does
enable it and manages to avoid a panic from other nandfs issues.
admbugs: 815
Reported by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Reviewed by: imp
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D21232
Modified:
stable/12/sys/fs/nandfs/nandfs_dat.c
Modified: stable/12/sys/fs/nandfs/nandfs_dat.c
==============================================================================
--- stable/12/sys/fs/nandfs/nandfs_dat.c Mon Aug 12 17:18:20 2019 (r350902)
+++ stable/12/sys/fs/nandfs/nandfs_dat.c Mon Aug 12 17:25:32 2019 (r350903)
@@ -298,6 +298,9 @@ nandfs_get_dat_bdescs_ioctl(struct nandfs_device *nffs
size_t size;
int error;
+ if (nargv->nv_nmembs >= SIZE_MAX / sizeof(struct nandfs_bdesc))
+ return (EINVAL);
+
size = nargv->nv_nmembs * sizeof(struct nandfs_bdesc);
bd = malloc(size, M_NANDFSTEMP, M_WAITOK);
error = copyin((void *)(uintptr_t)nargv->nv_base, bd, size);
More information about the svn-src-stable-12
mailing list