FreeBSD Bugzilla – Attachment 169074 Details for
Bug 206585
hpt_set_info possible buffer overflow
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Fix heap overflow and check result of copyin
file_206585.txt (text/plain), 1.34 KB, created by
CTurt
on 2016-04-07 16:40:25 UTC
(
hide
)
Description:
Fix heap overflow and check result of copyin
Filename:
MIME Type:
Creator:
CTurt
Created:
2016-04-07 16:40:25 UTC
Size:
1.34 KB
patch
obsolete
>diff --git a/sys/dev/hptmv/hptproc.c b/sys/dev/hptmv/hptproc.c >index 3981b71..9e89756 100644 >--- a/sys/dev/hptmv/hptproc.c >+++ b/sys/dev/hptmv/hptproc.c >@@ -308,7 +308,9 @@ hpt_set_info(int length) > /* > * map buffer to kernel. > */ >- if (piop->nInBufferSize+piop->nOutBufferSize > PAGE_SIZE) { >+ if (piop->nInBufferSize > PAGE_SIZE || >+ piop->nOutBufferSize > PAGE_SIZE || >+ piop->nInBufferSize+piop->nOutBufferSize > PAGE_SIZE) { > KdPrintE(("User buffer too large\n")); > return -EINVAL; > } >@@ -319,8 +321,13 @@ hpt_set_info(int length) > return -EINVAL; > } > >- if (piop->nInBufferSize) >- copyin((void*)(ULONG_PTR)piop->lpInBuffer, ke_area, piop->nInBufferSize); >+ if (piop->nInBufferSize) { >+ if (copyin((void*)(ULONG_PTR)piop->lpInBuffer, ke_area, piop->nInBufferSize) != 0) { >+ KdPrintE(("Failed to copyin from lpInBuffer\n")); >+ free(ke_area, M_DEVBUF); >+ return -EFAULT; >+ } >+ } > > /* > * call kernel handler. >@@ -342,7 +349,7 @@ hpt_set_info(int length) > else KdPrintW(("Kernel_ioctl(): return %d\n", err)); > > free(ke_area, M_DEVBUF); >- return -EINVAL; >+ return -EINVAL; > } else { > KdPrintW(("Wrong signature: %x\n", piop->Magic)); > return -EINVAL;
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 206585
: 169074