Summary: | Heap overflows in an driver | ||
---|---|---|---|
Product: | Base System | Reporter: | CTurt <ecturt> |
Component: | kern | Assignee: | freebsd-wireless (Nobody) <wireless> |
Status: | Closed FIXED | ||
Severity: | Affects Only Me | CC: | emaste, op, sbruno |
Priority: | --- | Keywords: | patch |
Version: | CURRENT | ||
Hardware: | Any | ||
OS: | Any |
Description
CTurt
2016-05-16 09:10:58 UTC
Test build running, will commit in a bit. A commit references this bug: Author: sbruno Date: Tue May 24 13:57:24 UTC 2016 New revision: 300612 URL: https://svnweb.freebsd.org/changeset/base/300612 Log: Reject ioctl commands for FLSHGCHR and FLSHPCHR if the size is greater than sc->areq. This is a bounds check to ensure we're not just cramming arbitrarily sized nonsense into the driver and overflowing the heap. PR: 209545 Submitted by: cturt@hardenedbsd.org MFC after: 2 weeks Changes: head/sys/dev/an/if_an.c A commit references this bug: Author: sbruno Date: Fri Jul 22 03:26:02 UTC 2016 New revision: 303177 URL: https://svnweb.freebsd.org/changeset/base/303177 Log: MFC r300612 Reject ioctl commands for FLSHGCHR and FLSHPCHR if the size is greater than sc->areq. This is a bounds check to ensure we're not just cramming arbitrarily sized nonsense into the driver and overflowing the heap. PR: 209545 Changes: stable/10/sys/dev/an/if_an.c |