d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Don't run strcmp() against strings stored in user memory.

Browse Source 
Instead, copy the strings into a temporary buffer on the stack and
run strcmp on the copies.

Reviewed by:	brooks, kib
Obtained from:	CheriBSD
MFC after:	1 week
Sponsored by:	DARPA
Differential Revision:	https://reviews.freebsd.org/D24567
This commit is contained in:
John Baldwin 2020-04-27 18:04:42 +00:00
parent 61bbe53c2d
commit 3eb7c1bf06
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=360388
1 changed files with 13 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
sys/dev/iscsi_initiator/isc_subr.c
View File

@ -97,6 +97,9 @@ i_crc32c(const void *buf, size_t size, uint32_t crc)
int
i_setopt(isc_session_t *sp, isc_opt_t *opt)
{
char buf[16];
int error;
if(opt->maxRecvDataSegmentLength > 0) {
sp->opt.maxRecvDataSegmentLength = opt->maxRecvDataSegmentLength;
sdebug(2, "maxRecvDataSegmentLength=%d", sp->opt.maxRecvDataSegmentLength);
@ -138,15 +141,21 @@ i_setopt(isc_session_t *sp, isc_opt_t *opt)
}
if(opt->headerDigest != NULL) {
sdebug(2, "opt.headerDigest='%s'", opt->headerDigest);
if(strcmp(opt->headerDigest, "CRC32C") == 0) {
error = copyinstr(opt->headerDigest, buf, sizeof(buf), NULL);
if (error != 0)
return (error);
sdebug(2, "opt.headerDigest='%s'", buf);
if(strcmp(buf, "CRC32C") == 0) {
sp->hdrDigest = (digest_t *)i_crc32c;
sdebug(2, "opt.headerDigest set");
}
}
if(opt->dataDigest != NULL) {
sdebug(2, "opt.dataDigest='%s'", opt->headerDigest);
if(strcmp(opt->dataDigest, "CRC32C") == 0) {
error = copyinstr(opt->dataDigest, buf, sizeof(buf), NULL);
if (error != 0)
return (error);
sdebug(2, "opt.dataDigest='%s'", opt->dataDigest);
if(strcmp(buf, "CRC32C") == 0) {
sp->dataDigest = (digest_t *)i_crc32c;
sdebug(2, "opt.dataDigest set");
}