svn commit: r330308 - stable/11/sys/dev/cxgb

[Navdeep Parhar]

Author: np
Date: Sat Mar  3 02:39:54 2018
New Revision: 330308
URL: https://svnweb.freebsd.org/changeset/base/330308

Log:
  MFC r328315:
  
  cxgb(4): Validate offset/len in the GET_EEPROM ioctl.

Modified:
  stable/11/sys/dev/cxgb/cxgb_main.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/dev/cxgb/cxgb_main.c
==============================================================================
--- stable/11/sys/dev/cxgb/cxgb_main.c	Sat Mar  3 02:30:52 2018	(r330307)
+++ stable/11/sys/dev/cxgb/cxgb_main.c	Sat Mar  3 02:39:54 2018	(r330308)
@@ -2958,8 +2958,14 @@ cxgb_extension_ioctl(struct cdev *dev, unsigned long c
 	case CHELSIO_GET_EEPROM: {
 		int i;
 		struct ch_eeprom *e = (struct ch_eeprom *)data;
-		uint8_t *buf = malloc(EEPROMSIZE, M_DEVBUF, M_NOWAIT);
+		uint8_t *buf;
 
+		if (e->offset & 3 || e->offset >= EEPROMSIZE ||
+		    e->len > EEPROMSIZE || e->offset + e->len > EEPROMSIZE) {
+			return (EINVAL);
+		}
+
+		buf = malloc(EEPROMSIZE, M_DEVBUF, M_NOWAIT);
 		if (buf == NULL) {
 			return (ENOMEM);
 		}