svn commit: r360388 - head/sys/dev/iscsi_initiator

John Baldwin jhb at FreeBSD.org
Mon Apr 27 18:04:43 UTC 2020 

Author: jhb
Date: Mon Apr 27 18:04:42 2020
New Revision: 360388
URL: https://svnweb.freebsd.org/changeset/base/360388

Log:
  Don't run strcmp() against strings stored in user memory.
  
  Instead, copy the strings into a temporary buffer on the stack and
  run strcmp on the copies.
  
  Reviewed by:	brooks, kib
  Obtained from:	CheriBSD
  MFC after:	1 week
  Sponsored by:	DARPA
  Differential Revision:	https://reviews.freebsd.org/D24567

Modified:
  head/sys/dev/iscsi_initiator/isc_subr.c

Modified: head/sys/dev/iscsi_initiator/isc_subr.c
==============================================================================
--- head/sys/dev/iscsi_initiator/isc_subr.c	Mon Apr 27 17:55:40 2020	(r360387)
+++ head/sys/dev/iscsi_initiator/isc_subr.c	Mon Apr 27 18:04:42 2020	(r360388)
@@ -97,6 +97,9 @@ i_crc32c(const void *buf, size_t size, uint32_t crc)
 int
 i_setopt(isc_session_t *sp, isc_opt_t *opt)
 {
+     char buf[16];
+     int error;
+
      if(opt->maxRecvDataSegmentLength > 0) {
 	  sp->opt.maxRecvDataSegmentLength = opt->maxRecvDataSegmentLength;
 	  sdebug(2, "maxRecvDataSegmentLength=%d", sp->opt.maxRecvDataSegmentLength);
@@ -138,15 +141,21 @@ i_setopt(isc_session_t *sp, isc_opt_t *opt)
      }
 
      if(opt->headerDigest != NULL) {
-	  sdebug(2, "opt.headerDigest='%s'", opt->headerDigest);
-	  if(strcmp(opt->headerDigest, "CRC32C") == 0) {
+	  error = copyinstr(opt->headerDigest, buf, sizeof(buf), NULL);
+	  if (error != 0)
+	       return (error);
+	  sdebug(2, "opt.headerDigest='%s'", buf);
+	  if(strcmp(buf, "CRC32C") == 0) {
 	       sp->hdrDigest = (digest_t *)i_crc32c;
 	       sdebug(2, "opt.headerDigest set");
 	  }
      }
      if(opt->dataDigest != NULL) {
-	  sdebug(2, "opt.dataDigest='%s'", opt->headerDigest);
-	  if(strcmp(opt->dataDigest, "CRC32C") == 0) {
+	  error = copyinstr(opt->dataDigest, buf, sizeof(buf), NULL);
+	  if (error != 0)
+	       return (error);
+	  sdebug(2, "opt.dataDigest='%s'", opt->dataDigest);
+	  if(strcmp(buf, "CRC32C") == 0) {
 	       sp->dataDigest = (digest_t *)i_crc32c;
 	       sdebug(2, "opt.dataDigest set");
 	  }

More information about the svn-src-head mailing list