In hast_proto_recv_data() check that the size of the data to be

received does not exceed the buffer size. Approved by: pjd (mentor) MFC after: 1 week
svn path=/head/; revision=220522
2011-04-10 15:21:46 +00:00 · 2011-04-10 15:21:46 +00:00 · 1d521b1cbd · 2020-12-20 02:59:44 +00:00
commit 1d521b1cbd
parent 47f1eb5c4b
1 changed files with 5 additions and 2 deletions
--- a/sbin/hastd/hast_proto.c
+++ b/sbin/hastd/hast_proto.c
@ -189,9 +189,12 @@ hast_proto_recv_data(const struct hast_resource *res, struct proto_conn *conn,
 	dptr = data;

 	dsize = nv_get_uint32(nv, "size");
-	if (dsize == 0)
+	if (dsize > size) {
+		errno = EINVAL;
+		goto end;
+	} else if (dsize == 0) {
 		(void)nv_set_error(nv, 0);
-	else {
+	} else {
 		if (proto_recv(conn, data, dsize) < 0)
 			goto end;
 		for (ii = sizeof(pipeline) / sizeof(pipeline[0]); ii > 0;