d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Convert another tmpfs assert into runtime check.

Browse Source 
The offset of the directory file, passed to getdirentries(2) syscall,
is user-controllable.  The value of the offset must not be asserted,
instead the invalid value should be checked and rejected if invalid.

Reported and tested by:	pho
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
This commit is contained in:
Konstantin Belousov 2016-08-10 13:50:21 +00:00
parent 3cd77f5416
commit 15ad3e51c5
1 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
sys/fs/tmpfs/tmpfs_subr.c
View File

@ -819,10 +819,13 @@ tmpfs_dir_lookup_cookie(struct tmpfs_node *node, off_t cookie,
goto out;
}
MPASS((cookie & TMPFS_DIRCOOKIE_MASK) == cookie);
dekey.td_hash = cookie;
/* Recover if direntry for cookie was removed */
de = RB_NFIND(tmpfs_dir, dirhead, &dekey);
if ((cookie & TMPFS_DIRCOOKIE_MASK) != cookie) {
de = NULL;
} else {
dekey.td_hash = cookie;
/* Recover if direntry for cookie was removed */
de = RB_NFIND(tmpfs_dir, dirhead, &dekey);
}
dc->tdc_tree = de;
dc->tdc_current = de;
if (de != NULL && tmpfs_dirent_duphead(de)) {