Fix some signed/unsigned integer confusion, and add bounds checking of
arguments to some functions. Obtained from: NetBSD Reviewed by: peter MFC after: 2 weeks
This commit is contained in:
Kris Kennaway
parent
746b3df68f
commit
bf61e26696
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=83291
@ -1263,6 +1263,9 @@ ccdioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct proc *p)
|
||||
if ((error = ccdlock(cs)) != 0)
|
||||
return (error);
|
||||
|
||||
if (ccio->ccio_ndisks > CCD_MAXNDISKS)
|
||||
return (EINVAL);
|
||||
|
||||
/* Fill in some important bits. */
|
||||
cs->sc_ileave = ccio->ccio_ileave;
|
||||
if (cs->sc_ileave == 0 &&
|
||||
|
||||
@ -1876,6 +1876,8 @@ mlx_user_command(struct mlx_softc *sc, struct mlx_usercommand *mu)
|
||||
|
||||
/* if we need a buffer for data transfer, allocate one and copy in its initial contents */
|
||||
if (mu->mu_datasize > 0) {
|
||||
if (mu->mu_datasize > MAXPHYS)
|
||||
return (EINVAL);
|
||||
if (((kbuf = malloc(mu->mu_datasize, M_DEVBUF, M_WAITOK)) == NULL) ||
|
||||
(error = copyin(mu->mu_buf, kbuf, mu->mu_datasize)))
|
||||
goto out;
|
||||
|
||||
@ -167,6 +167,12 @@ umapfs_mount(mp, path, data, ndp, p)
|
||||
/*
|
||||
* Now copy in the number of entries and maps for umap mapping.
|
||||
*/
|
||||
if (args.nentries > MAPFILEENTRIES || args.gnentries >
|
||||
GMAPFILEENTRIES) {
|
||||
vput(lowerrootvp);
|
||||
return (error);
|
||||
}
|
||||
|
||||
amp->info_nentries = args.nentries;
|
||||
amp->info_gnentries = args.gnentries;
|
||||
error = copyin(args.mapdata, (caddr_t)amp->info_mapdata,
|
||||
|
||||
@ -1263,6 +1263,9 @@ ccdioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct proc *p)
|
||||
if ((error = ccdlock(cs)) != 0)
|
||||
return (error);
|
||||
|
||||
if (ccio->ccio_ndisks > CCD_MAXNDISKS)
|
||||
return (EINVAL);
|
||||
|
||||
/* Fill in some important bits. */
|
||||
cs->sc_ileave = ccio->ccio_ileave;
|
||||
if (cs->sc_ileave == 0 &&
|
||||
|
||||
@ -700,6 +700,7 @@ struct isdn_diagnostic_request {
|
||||
int controller; /* controller number */
|
||||
u_int32_t cmd; /* diagnostic command to execute */
|
||||
size_t in_param_len; /* length of additional input parameter */
|
||||
#define I4B_ACTIVE_DIAGNOSTIC_MAXPARAMLEN 65536
|
||||
void *in_param; /* optional input parameter */
|
||||
size_t out_param_len; /* available output space */
|
||||
void *out_param; /* output data goes here */
|
||||
|
||||
@ -700,6 +700,7 @@ struct isdn_diagnostic_request {
|
||||
int controller; /* controller number */
|
||||
u_int32_t cmd; /* diagnostic command to execute */
|
||||
size_t in_param_len; /* length of additional input parameter */
|
||||
#define I4B_ACTIVE_DIAGNOSTIC_MAXPARAMLEN 65536
|
||||
void *in_param; /* optional input parameter */
|
||||
size_t out_param_len; /* available output space */
|
||||
void *out_param; /* output data goes here */
|
||||
|
||||
@ -859,6 +859,13 @@ i4bioctl(dev_t dev, int cmd, caddr_t data, int flag, struct proc *p)
|
||||
|
||||
if(req.in_param_len)
|
||||
{
|
||||
/* XXX arbitrary limit */
|
||||
if (req.in_param_len >
|
||||
I4B_ACTIVE_DIAGNOSTIC_MAXPARAMLEN) {
|
||||
error = EINVAL;
|
||||
goto diag_done;
|
||||
}
|
||||
|
||||
req.in_param = malloc(r->in_param_len, M_DEVBUF, M_WAITOK);
|
||||
|
||||
if(!req.in_param)
|
||||
|
||||
@ -44,6 +44,7 @@
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/malloc.h>
|
||||
#include <sys/mbuf.h>
|
||||
#include <sys/mount.h>
|
||||
#include <net/radix.h>
|
||||
#include <sys/domain.h>
|
||||
@ -106,6 +107,10 @@ vfs_hang_addrlist(mp, nep, argp)
|
||||
mp->mnt_flag |= MNT_DEFEXPORTED;
|
||||
return (0);
|
||||
}
|
||||
|
||||
if (argp->ex_addrlen > MLEN)
|
||||
return (EINVAL);
|
||||
|
||||
i = sizeof(struct netcred) + argp->ex_addrlen + argp->ex_masklen;
|
||||
np = (struct netcred *) malloc(i, M_NETADDR, M_WAITOK | M_ZERO);
|
||||
saddr = (struct sockaddr *) (np + 1);
|
||||
|
||||
@ -345,7 +345,8 @@ pppioctl(sc, cmd, data, flag, p)
|
||||
int flag;
|
||||
struct proc *p;
|
||||
{
|
||||
int s, flags, mru, nb, npx;
|
||||
int s, flags, mru, npx;
|
||||
u_int nb;
|
||||
int error = 0;
|
||||
struct ppp_option_data *odp;
|
||||
struct compressor **cp;
|
||||
|
||||
@ -198,9 +198,9 @@ struct nfsd_srvargs {
|
||||
uid_t nsd_uid; /* Effective uid mapped to cred */
|
||||
u_int32_t nsd_haddr; /* Ip address of client */
|
||||
struct xucred nsd_cr; /* Cred. uid maps to */
|
||||
int nsd_authlen; /* Length of auth string (ret) */
|
||||
u_int nsd_authlen; /* Length of auth string (ret) */
|
||||
u_char *nsd_authstr; /* Auth string (ret) */
|
||||
int nsd_verflen; /* and the verfier */
|
||||
u_int nsd_verflen; /* and the verfier */
|
||||
u_char *nsd_verfstr;
|
||||
struct timeval nsd_timestamp; /* timestamp from verifier */
|
||||
u_int32_t nsd_ttl; /* credential ttl (sec) */
|
||||
@ -211,9 +211,9 @@ struct nfsd_cargs {
|
||||
char *ncd_dirp; /* Mount dir path */
|
||||
uid_t ncd_authuid; /* Effective uid */
|
||||
int ncd_authtype; /* Type of authenticator */
|
||||
int ncd_authlen; /* Length of authenticator string */
|
||||
u_int ncd_authlen; /* Length of authenticator string */
|
||||
u_char *ncd_authstr; /* Authenticator string */
|
||||
int ncd_verflen; /* and the verifier */
|
||||
u_int ncd_verflen; /* and the verifier */
|
||||
u_char *ncd_verfstr;
|
||||
NFSKERBKEY_T ncd_key; /* Session key */
|
||||
};
|
||||
|
||||
@ -198,9 +198,9 @@ struct nfsd_srvargs {
|
||||
uid_t nsd_uid; /* Effective uid mapped to cred */
|
||||
u_int32_t nsd_haddr; /* Ip address of client */
|
||||
struct xucred nsd_cr; /* Cred. uid maps to */
|
||||
int nsd_authlen; /* Length of auth string (ret) */
|
||||
u_int nsd_authlen; /* Length of auth string (ret) */
|
||||
u_char *nsd_authstr; /* Auth string (ret) */
|
||||
int nsd_verflen; /* and the verfier */
|
||||
u_int nsd_verflen; /* and the verfier */
|
||||
u_char *nsd_verfstr;
|
||||
struct timeval nsd_timestamp; /* timestamp from verifier */
|
||||
u_int32_t nsd_ttl; /* credential ttl (sec) */
|
||||
@ -211,9 +211,9 @@ struct nfsd_cargs {
|
||||
char *ncd_dirp; /* Mount dir path */
|
||||
uid_t ncd_authuid; /* Effective uid */
|
||||
int ncd_authtype; /* Type of authenticator */
|
||||
int ncd_authlen; /* Length of authenticator string */
|
||||
u_int ncd_authlen; /* Length of authenticator string */
|
||||
u_char *ncd_authstr; /* Authenticator string */
|
||||
int ncd_verflen; /* and the verifier */
|
||||
u_int ncd_verflen; /* and the verifier */
|
||||
u_char *ncd_verfstr;
|
||||
NFSKERBKEY_T ncd_key; /* Session key */
|
||||
};
|
||||
|
||||
@ -198,9 +198,9 @@ struct nfsd_srvargs {
|
||||
uid_t nsd_uid; /* Effective uid mapped to cred */
|
||||
u_int32_t nsd_haddr; /* Ip address of client */
|
||||
struct xucred nsd_cr; /* Cred. uid maps to */
|
||||
int nsd_authlen; /* Length of auth string (ret) */
|
||||
u_int nsd_authlen; /* Length of auth string (ret) */
|
||||
u_char *nsd_authstr; /* Auth string (ret) */
|
||||
int nsd_verflen; /* and the verfier */
|
||||
u_int nsd_verflen; /* and the verfier */
|
||||
u_char *nsd_verfstr;
|
||||
struct timeval nsd_timestamp; /* timestamp from verifier */
|
||||
u_int32_t nsd_ttl; /* credential ttl (sec) */
|
||||
@ -211,9 +211,9 @@ struct nfsd_cargs {
|
||||
char *ncd_dirp; /* Mount dir path */
|
||||
uid_t ncd_authuid; /* Effective uid */
|
||||
int ncd_authtype; /* Type of authenticator */
|
||||
int ncd_authlen; /* Length of authenticator string */
|
||||
u_int ncd_authlen; /* Length of authenticator string */
|
||||
u_char *ncd_authstr; /* Authenticator string */
|
||||
int ncd_verflen; /* and the verifier */
|
||||
u_int ncd_verflen; /* and the verifier */
|
||||
u_char *ncd_verfstr;
|
||||
NFSKERBKEY_T ncd_key; /* Session key */
|
||||
};
|
||||
|
||||
@ -198,9 +198,9 @@ struct nfsd_srvargs {
|
||||
uid_t nsd_uid; /* Effective uid mapped to cred */
|
||||
u_int32_t nsd_haddr; /* Ip address of client */
|
||||
struct xucred nsd_cr; /* Cred. uid maps to */
|
||||
int nsd_authlen; /* Length of auth string (ret) */
|
||||
u_int nsd_authlen; /* Length of auth string (ret) */
|
||||
u_char *nsd_authstr; /* Auth string (ret) */
|
||||
int nsd_verflen; /* and the verfier */
|
||||
u_int nsd_verflen; /* and the verfier */
|
||||
u_char *nsd_verfstr;
|
||||
struct timeval nsd_timestamp; /* timestamp from verifier */
|
||||
u_int32_t nsd_ttl; /* credential ttl (sec) */
|
||||
@ -211,9 +211,9 @@ struct nfsd_cargs {
|
||||
char *ncd_dirp; /* Mount dir path */
|
||||
uid_t ncd_authuid; /* Effective uid */
|
||||
int ncd_authtype; /* Type of authenticator */
|
||||
int ncd_authlen; /* Length of authenticator string */
|
||||
u_int ncd_authlen; /* Length of authenticator string */
|
||||
u_char *ncd_authstr; /* Authenticator string */
|
||||
int ncd_verflen; /* and the verifier */
|
||||
u_int ncd_verflen; /* and the verifier */
|
||||
u_char *ncd_verfstr;
|
||||
NFSKERBKEY_T ncd_key; /* Session key */
|
||||
};
|
||||
|
||||
@ -198,9 +198,9 @@ struct nfsd_srvargs {
|
||||
uid_t nsd_uid; /* Effective uid mapped to cred */
|
||||
u_int32_t nsd_haddr; /* Ip address of client */
|
||||
struct xucred nsd_cr; /* Cred. uid maps to */
|
||||
int nsd_authlen; /* Length of auth string (ret) */
|
||||
u_int nsd_authlen; /* Length of auth string (ret) */
|
||||
u_char *nsd_authstr; /* Auth string (ret) */
|
||||
int nsd_verflen; /* and the verfier */
|
||||
u_int nsd_verflen; /* and the verfier */
|
||||
u_char *nsd_verfstr;
|
||||
struct timeval nsd_timestamp; /* timestamp from verifier */
|
||||
u_int32_t nsd_ttl; /* credential ttl (sec) */
|
||||
@ -211,9 +211,9 @@ struct nfsd_cargs {
|
||||
char *ncd_dirp; /* Mount dir path */
|
||||
uid_t ncd_authuid; /* Effective uid */
|
||||
int ncd_authtype; /* Type of authenticator */
|
||||
int ncd_authlen; /* Length of authenticator string */
|
||||
u_int ncd_authlen; /* Length of authenticator string */
|
||||
u_char *ncd_authstr; /* Authenticator string */
|
||||
int ncd_verflen; /* and the verifier */
|
||||
u_int ncd_verflen; /* and the verifier */
|
||||
u_char *ncd_verfstr;
|
||||
NFSKERBKEY_T ncd_key; /* Session key */
|
||||
};
|
||||
|
||||
@ -198,9 +198,9 @@ struct nfsd_srvargs {
|
||||
uid_t nsd_uid; /* Effective uid mapped to cred */
|
||||
u_int32_t nsd_haddr; /* Ip address of client */
|
||||
struct xucred nsd_cr; /* Cred. uid maps to */
|
||||
int nsd_authlen; /* Length of auth string (ret) */
|
||||
u_int nsd_authlen; /* Length of auth string (ret) */
|
||||
u_char *nsd_authstr; /* Auth string (ret) */
|
||||
int nsd_verflen; /* and the verfier */
|
||||
u_int nsd_verflen; /* and the verfier */
|
||||
u_char *nsd_verfstr;
|
||||
struct timeval nsd_timestamp; /* timestamp from verifier */
|
||||
u_int32_t nsd_ttl; /* credential ttl (sec) */
|
||||
@ -211,9 +211,9 @@ struct nfsd_cargs {
|
||||
char *ncd_dirp; /* Mount dir path */
|
||||
uid_t ncd_authuid; /* Effective uid */
|
||||
int ncd_authtype; /* Type of authenticator */
|
||||
int ncd_authlen; /* Length of authenticator string */
|
||||
u_int ncd_authlen; /* Length of authenticator string */
|
||||
u_char *ncd_authstr; /* Authenticator string */
|
||||
int ncd_verflen; /* and the verifier */
|
||||
u_int ncd_verflen; /* and the verifier */
|
||||
u_char *ncd_verfstr;
|
||||
NFSKERBKEY_T ncd_key; /* Session key */
|
||||
};
|
||||
|
||||
@ -90,7 +90,7 @@
|
||||
*/
|
||||
struct ccd_ioctl {
|
||||
char **ccio_disks; /* pointer to component paths */
|
||||
int ccio_ndisks; /* number of disks to concatenate */
|
||||
u_int ccio_ndisks; /* number of disks to concatenate */
|
||||
int ccio_ileave; /* interleave (DEV_BSIZE blocks) */
|
||||
int ccio_flags; /* misc. information */
|
||||
int ccio_unit; /* unit number: use varies */
|
||||
@ -167,7 +167,8 @@ struct ccd_s {
|
||||
int sc_cflags; /* configuration flags */
|
||||
size_t sc_size; /* size of ccd */
|
||||
int sc_ileave; /* interleave */
|
||||
int sc_nccdisks; /* number of components */
|
||||
u_int sc_nccdisks; /* number of components */
|
||||
#define CCD_MAXNDISKS 65536
|
||||
struct ccdcinfo *sc_cinfo; /* component info */
|
||||
struct ccdiinfo *sc_itable; /* interleave table */
|
||||
struct devstat device_stats; /* device statistics */
|
||||
|
||||
Loading…
Reference in New Issue
Block a user