FreeBSD Bugzilla – Attachment 169497 Details for
Bug 206581
bxe_ioctl_nvram handler is faulty
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Check return values from copyin and copyout
file_206581.txt (text/plain), 4.43 KB, created by
CTurt
on 2016-04-20 16:32:21 UTC
(
hide
)
Description:
Check return values from copyin and copyout
Filename:
MIME Type:
Creator:
CTurt
Created:
2016-04-20 16:32:21 UTC
Size:
4.43 KB
patch
obsolete
>diff --git a/sys/dev/bxe/bxe.c b/sys/dev/bxe/bxe.c >index f88797e..90cea6b 100644 >--- a/bxe.c >+++ b/bxe.c >@@ -4422,77 +4422,83 @@ bxe_ifmedia_status(struct ifnet *ifp, struct ifmediareq > > ifmr->ifm_active |= sc->media; > > if (sc->link_vars.duplex == DUPLEX_FULL) { > ifmr->ifm_active |= IFM_FDX; > } else { > ifmr->ifm_active |= IFM_HDX; > } > } > > static int > bxe_ioctl_nvram(struct bxe_softc *sc, > uint32_t priv_op, > struct ifreq *ifr) > { > struct bxe_nvram_data nvdata_base; > struct bxe_nvram_data *nvdata; > int len; > int error = 0; > >- copyin(ifr->ifr_data, &nvdata_base, sizeof(nvdata_base)); >+ if ((error = copyin(ifr->ifr_data, &nvdata_base, sizeof(nvdata_base))) != 0 >+ return error; > > len = (sizeof(struct bxe_nvram_data) + > nvdata_base.len - > sizeof(uint32_t)); > > if (len > sizeof(struct bxe_nvram_data)) { > if ((nvdata = (struct bxe_nvram_data *) > malloc(len, M_DEVBUF, > (M_NOWAIT | M_ZERO))) == NULL) { > BLOGE(sc, "BXE_IOC_RD_NVRAM malloc failed priv_op 0x%x " > " len = 0x%x\n", priv_op, len); > return (1); > } > memcpy(nvdata, &nvdata_base, sizeof(struct bxe_nvram_data)); > } else { > nvdata = &nvdata_base; > } > > if (priv_op == BXE_IOC_RD_NVRAM) { > BLOGD(sc, DBG_IOCTL, "IOC_RD_NVRAM 0x%x %d\n", > nvdata->offset, nvdata->len); >- error = bxe_nvram_read(sc, >+ if ((error = bxe_nvram_read(sc, > nvdata->offset, > (uint8_t *)nvdata->value, >- nvdata->len); >- copyout(nvdata, ifr->ifr_data, len); >+ nvdata->len)) != 0) { >+ goto bxe_ioctl_nvram_exit; >+ } >+ error = copyout(nvdata, ifr->ifr_data, len); > } else { /* BXE_IOC_WR_NVRAM */ > BLOGD(sc, DBG_IOCTL, "IOC_WR_NVRAM 0x%x %d\n", > nvdata->offset, nvdata->len); >- copyin(ifr->ifr_data, nvdata, len); >+ if ((error = copyin(ifr->ifr_data, nvdata, len)) != 0) { >+ goto bxe_ioctl_nvram_exit; >+ } > error = bxe_nvram_write(sc, > nvdata->offset, > (uint8_t *)nvdata->value, > nvdata->len); > } > >+ bxe_ioctl_nvram_exit: > if (len > sizeof(struct bxe_nvram_data)) { > free(nvdata, M_DEVBUF); > } > > return (error); > } > > static int > bxe_ioctl_stats_show(struct bxe_softc *sc, > uint32_t priv_op, > struct ifreq *ifr) > { > const size_t str_size = (BXE_NUM_ETH_STATS * STAT_NAME_LEN); > const size_t stats_size = (BXE_NUM_ETH_STATS * sizeof(uint64_t)); > caddr_t p_tmp; > uint32_t *offset; > int i; > > switch (priv_op) > { >@@ -4752,41 +4758,42 @@ bxe_ioctl(if_t ifp, > BLOGE(sc, "Changing VLAN_HWFILTER is not supported!\n"); > error = EINVAL; > } > > /* XXX not yet... > * IFCAP_WOL_MAGIC > */ > > break; > > case SIOCSIFMEDIA: > case SIOCGIFMEDIA: > /* set/get interface media */ > BLOGD(sc, DBG_IOCTL, > "Received SIOCSIFMEDIA/SIOCGIFMEDIA ioctl (cmd=%lu)\n", > (command & 0xff)); > error = ifmedia_ioctl(ifp, ifr, &sc->ifmedia, command); > break; > > case SIOCGPRIVATE_0: >- copyin(ifr->ifr_data, &priv_op, sizeof(priv_op)); >+ if ((error = copyin(ifr->ifr_data, &priv_op, sizeof(priv_op))) != 0) >+ break; > > switch (priv_op) > { > case BXE_IOC_RD_NVRAM: > case BXE_IOC_WR_NVRAM: > nvdata = (struct bxe_nvram_data *)ifr->ifr_data; > BLOGD(sc, DBG_IOCTL, > "Received Private NVRAM ioctl addr=0x%x size=%u\n", > nvdata->offset, nvdata->len); > error = bxe_ioctl_nvram(sc, priv_op, ifr); > break; > > case BXE_IOC_STATS_SHOW_NUM: > case BXE_IOC_STATS_SHOW_STR: > case BXE_IOC_STATS_SHOW_CNT: > BLOGD(sc, DBG_IOCTL, "Received Private Stats ioctl (%d)\n", > priv_op); > error = bxe_ioctl_stats_show(sc, priv_op, ifr); > break; >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=169497">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 206581
: 169497