d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Another issue reported on http://seclists.org/oss-sec/2016/q3/68 is

Browse Source 
that struct kevent member ident has uintptr_t type, which is silently
truncated to int in the call to fget().  Explicitely check for the
valid range.

Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
This commit is contained in:
Konstantin Belousov 2016-07-16 13:24:58 +00:00
parent 643fd575da
commit 86f1146329
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
sys/kern/kern_event.c
View File

@ -1183,8 +1183,11 @@ kqueue_register(struct kqueue *kq, struct kevent *kev, struct thread *td, int wa
findkn:
if (fops->f_isfd) {
KASSERT(td != NULL, ("td is NULL"));
error = fget(td, kev->ident,
cap_rights_init(&rights, CAP_EVENT), &fp);
if (kev->ident > INT_MAX)
error = EBADF;
else
error = fget(td, kev->ident,
cap_rights_init(&rights, CAP_EVENT), &fp);
if (error)
goto done;