Deny attempt to malloc unbounded amount of the memory.

Convert malloc()/bzero() to malloc(M_ZERO). Obtained from: OpenBSD MFC after: 3 days Approved by: re (kensmith)
2007-10-08 20:08:34 +00:00 · 2007-10-08 20:08:34 +00:00 · 1649bbbb94
commit 1649bbbb94
parent a8efe9e273
1 changed files with 6 additions and 3 deletions
--- a/sys/opencrypto/cryptodev.c
+++ b/sys/opencrypto/cryptodev.c
@ -590,10 +590,9 @@ cryptodev_key(struct crypt_kop *kop)
 		return (EINVAL);
 	}

-	krp = (struct cryptkop *)malloc(sizeof *krp, M_XDATA, M_WAITOK);
+	krp = (struct cryptkop *)malloc(sizeof *krp, M_XDATA, M_WAITOK|M_ZERO);
 	if (!krp)
 		return (ENOMEM);
-	bzero(krp, sizeof *krp);
 	krp->krp_op = kop->crk_op;
 	krp->krp_status = kop->crk_status;
 	krp->krp_iparams = kop->crk_iparams;
@ -602,8 +601,12 @@ cryptodev_key(struct crypt_kop *kop)
 	krp->krp_status = 0;
 	krp->krp_callback = (int (*) (struct cryptkop *)) cryptodevkey_cb;

-	for (i = 0; i < CRK_MAXPARAM; i++)
+	for (i = 0; i < CRK_MAXPARAM; i++) {
+		if (kop->crk_param[i].crp_nbits > 65536)
+			/* Limit is the same as in OpenBSD */
+			goto fail;
 		krp->krp_param[i].crp_nbits = kop->crk_param[i].crp_nbits;
+	}
 	for (i = 0; i < krp->krp_iparams + krp->krp_oparams; i++) {
 		size = (krp->krp_param[i].crp_nbits + 7) / 8;
 		if (size == 0)