d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Correctly validate inputs to the i386_get_ldt syscall.

Browse Source 
Security: FreeBSD-SA-05:07.ldt
This commit is contained in:
Colin Percival 2005-05-06 02:40:18 +00:00
parent c340af03a0
commit 9b2dc15ca0
1 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
sys/i386/i386/sys_machdep.c
View File

@ -476,10 +476,6 @@ i386_get_ldt(td, uap)
uap->start, uap->num, (void *)uap->descs);
#endif
/* verify range of LDTs exist */
if ((uap->start < 0) || (uap->num <= 0))
return(EINVAL);
if (pldt) {
nldt = pldt->ldt_len;
num = min(uap->num, nldt);
@ -489,7 +485,10 @@ i386_get_ldt(td, uap)
num = min(uap->num, nldt);
lp = &ldt[uap->start];
}
if (uap->start + num > nldt)
if ((uap->start > (unsigned int)nldt) ||
((unsigned int)num > (unsigned int)nldt) ||
((unsigned int)(uap->start + num) > (unsigned int)nldt))
return(EINVAL);
error = copyout(lp, uap->descs, num * sizeof(union descriptor));