de828a91db
Previously we copied in the request into a stack-allocated structure that could be smaller than the request size. Furthermore, we checked the request size only after doing the copyin. Fix this by allocating a buffer to hold the request, then copying the buffer's contents into a command descriptor. This is a bit heavy-handed but I expect the overhead will not be noticeable. The approach of coping the header in first is susceptible to TOCTOU problems. Reviewed by: imp Reported by: maxpl0it@protonmail.com MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D27963 |
||
---|---|---|
.. | ||
mpi | ||
mpr_config.c | ||
mpr_ioctl.h | ||
mpr_mapping.c | ||
mpr_mapping.h | ||
mpr_pci.c | ||
mpr_sas_lsi.c | ||
mpr_sas.c | ||
mpr_sas.h | ||
mpr_table.c | ||
mpr_table.h | ||
mpr_user.c | ||
mpr.c | ||
mprvar.h |