d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Reject ioctl commands for FLSHGCHR and FLSHPCHR if the size is greater

Browse Source 
than sc->areq.  This is a bounds check to ensure we're not just cramming
arbitrarily sized nonsense into the driver and overflowing the heap.

PR:		209545
Submitted by:	cturt@hardenedbsd.org
MFC after:	2 weeks
This commit is contained in:
Sean Bruno 2016-05-24 13:57:23 +00:00
parent 0d0da76911
commit 6115013663
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
sys/dev/an/if_an.c
View File

@ -3749,6 +3749,9 @@ flashcard(struct ifnet *ifp, struct aironet_ioctl *l_ioctl)
return ENOBUFS;
break;
case AIROFLSHGCHR: /* Get char from aux */
if (l_ioctl->len > sizeof(sc->areq)) {
return -EINVAL;
}
AN_UNLOCK(sc);
status = copyin(l_ioctl->data, &sc->areq, l_ioctl->len);
AN_LOCK(sc);
@ -3760,6 +3763,9 @@ flashcard(struct ifnet *ifp, struct aironet_ioctl *l_ioctl)
else
return -1;
case AIROFLSHPCHR: /* Send char to card. */
if (l_ioctl->len > sizeof(sc->areq)) {
return -EINVAL;
}
AN_UNLOCK(sc);
status = copyin(l_ioctl->data, &sc->areq, l_ioctl->len);
AN_LOCK(sc);