svn commit: r192140 - in stable/7/sys: . contrib/pf dev/ath/ath_hal
dev/cxgb fs/fdescfs
Konstantin Belousov
kib at FreeBSD.org
Fri May 15 10:45:53 UTC 2009
Author: kib
Date: Fri May 15 10:45:52 2009
New Revision: 192140
URL: http://svn.freebsd.org/changeset/base/192140
Log:
MFC r192012:
Return controlled EINVAL when the fdescfs lookup routine is given string
representing too large integer, instead of overflowing and possibly
returning a random but valid vnode.
Modified:
stable/7/sys/ (props changed)
stable/7/sys/contrib/pf/ (props changed)
stable/7/sys/dev/ath/ath_hal/ (props changed)
stable/7/sys/dev/cxgb/ (props changed)
stable/7/sys/fs/fdescfs/fdesc_vnops.c
Modified: stable/7/sys/fs/fdescfs/fdesc_vnops.c
==============================================================================
--- stable/7/sys/fs/fdescfs/fdesc_vnops.c Fri May 15 10:11:54 2009 (r192139)
+++ stable/7/sys/fs/fdescfs/fdesc_vnops.c Fri May 15 10:45:52 2009 (r192140)
@@ -264,7 +264,7 @@ fdesc_lookup(ap)
struct thread *td = cnp->cn_thread;
struct file *fp;
int nlen = cnp->cn_namelen;
- u_int fd;
+ u_int fd, fd1;
int error;
struct vnode *fvp;
@@ -296,7 +296,12 @@ fdesc_lookup(ap)
error = ENOENT;
goto bad;
}
- fd = 10 * fd + *pname++ - '0';
+ fd1 = 10 * fd + *pname++ - '0';
+ if (fd1 < fd) {
+ error = ENOENT;
+ goto bad;
+ }
+ fd = fd1;
}
if ((error = fget(td, fd, &fp)) != 0)
More information about the svn-src-all
mailing list