svn commit: r303172 - stable/10/sys/dev/hptmv
Sean Bruno
sbruno at FreeBSD.org
Fri Jul 22 03:03:54 UTC 2016
Author: sbruno
Date: Fri Jul 22 03:03:52 2016
New Revision: 303172
URL: https://svnweb.freebsd.org/changeset/base/303172
Log:
MFC r298231
hptmv(4) Fix potential buffer overflow in hpt_set_info.
While here, adjust some whitespace and yeild some useful debug info.
This is untested on this hardware, testing requests to -scsi went
unanswered.
Modified:
stable/10/sys/dev/hptmv/hptproc.c
Modified: stable/10/sys/dev/hptmv/hptproc.c
==============================================================================
--- stable/10/sys/dev/hptmv/hptproc.c Fri Jul 22 02:11:49 2016 (r303171)
+++ stable/10/sys/dev/hptmv/hptproc.c Fri Jul 22 03:03:52 2016 (r303172)
@@ -290,7 +290,9 @@ hpt_set_info(int length)
/*
* map buffer to kernel.
*/
- if (piop->nInBufferSize+piop->nOutBufferSize > PAGE_SIZE) {
+ if (piop->nInBufferSize > PAGE_SIZE ||
+ piop->nOutBufferSize > PAGE_SIZE ||
+ piop->nInBufferSize+piop->nOutBufferSize > PAGE_SIZE) {
KdPrintE(("User buffer too large\n"));
return -EINVAL;
}
@@ -301,8 +303,13 @@ hpt_set_info(int length)
return -EINVAL;
}
- if (piop->nInBufferSize)
- copyin((void*)(ULONG_PTR)piop->lpInBuffer, ke_area, piop->nInBufferSize);
+ if (piop->nInBufferSize) {
+ if (copyin((void*)(ULONG_PTR)piop->lpInBuffer, ke_area, piop->nInBufferSize) != 0) {
+ KdPrintE(("Failed to copyin from lpInBuffer\n"));
+ free(ke_area, M_DEVBUF);
+ return -EFAULT;
+ }
+ }
/*
* call kernel handler.
@@ -324,7 +331,7 @@ hpt_set_info(int length)
else KdPrintW(("Kernel_ioctl(): return %d\n", err));
free(ke_area, M_DEVBUF);
- return -EINVAL;
+ return -EINVAL;
} else {
KdPrintW(("Wrong signature: %x\n", piop->Magic));
return -EINVAL;
More information about the svn-src-stable-10
mailing list