FreeBSD Bugzilla – Attachment 172594 Details for
Bug 207627
[cam] fix negative array index in ctl.c
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Proposed patch for #207627
207627.patch (text/plain), 2.16 KB, created by
rday
on 2016-07-16 22:01:23 UTC
(
hide
)
Description:
Proposed patch for #207627
Filename:
MIME Type:
Creator:
rday
Created:
2016-07-16 22:01:23 UTC
Size:
2.16 KB
patch
obsolete
>diff --git a/sys/cam/ctl/ctl.c b/sys/cam/ctl/ctl.c >index 83e2289..3af1c12 100644 >--- a/sys/cam/ctl/ctl.c >+++ b/sys/cam/ctl/ctl.c >@@ -2397,8 +2397,10 @@ ctl_free_args(int num_args, struct ctl_be_arg *args) > return; > > for (i = 0; i < num_args; i++) { >- free(args[i].kname, M_CTL); >- free(args[i].kvalue, M_CTL); >+ if (args[i].kname != NULL) >+ free(args[i].kname, M_CTL); >+ if (args[i].kvalue != NULL) >+ free(args[i].kvalue, M_CTL); > } > > free(args, M_CTL); >@@ -2425,6 +2427,12 @@ ctl_copyin_args(int num_args, struct ctl_be_arg *uargs, > for (i = 0; i < num_args; i++) { > uint8_t *tmpptr; > >+ if (args[i].namelen == 0) { >+ snprintf(error_str, error_str_len, "Argument %d " >+ "name length is invalid", i); >+ goto bailout; >+ } >+ > args[i].kname = ctl_copyin_alloc(args[i].name, > args[i].namelen, error_str, error_str_len); > if (args[i].kname == NULL) >@@ -2437,10 +2445,17 @@ ctl_copyin_args(int num_args, struct ctl_be_arg *uargs, > } > > if (args[i].flags & CTL_BEARG_RD) { >+ if (args[i].vallen == 0) { >+ snprintf(error_str, error_str_len, "Argument %d " >+ "value length is invalid", i); >+ goto bailout; >+ } >+ > tmpptr = ctl_copyin_alloc(args[i].value, > args[i].vallen, error_str, error_str_len); > if (tmpptr == NULL) > goto bailout; >+ > if ((args[i].flags & CTL_BEARG_ASCII) > && (tmpptr[args[i].vallen - 1] != '\0')) { > snprintf(error_str, error_str_len, "Argument " >diff --git a/sys/cam/ctl/ctl_ioctl.h b/sys/cam/ctl/ctl_ioctl.h >index 40bd183..7d1128d 100644 >--- a/sys/cam/ctl/ctl_ioctl.h >+++ b/sys/cam/ctl/ctl_ioctl.h >@@ -317,20 +317,20 @@ typedef enum { > * > * flags: Flags for the parameter, see above for values. > * >- * vallen: Length of the value in bytes. >+ * vallen: Length of the value in bytes, including the terminating NUL. > * >- * value: Value to be set/fetched. >+ * value: Value to be set/fetched. This must be NUL-terminated. > * > * kname: For kernel use only. > * > * kvalue: For kernel use only. > */ > struct ctl_be_arg { >- int namelen; >- char *name; >- int flags; >- int vallen; >- void *value; >+ unsigned int namelen; >+ char *name; >+ int flags; >+ unsigned int vallen; >+ void *value; > > char *kname; > void *kvalue;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=172594">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 207627
: 172594