Return controlled EINVAL when the fdescfs lookup routine is given string

representing too large integer, instead of overflowing and possibly returning a random but valid vnode. Noted by: Jilles Tjoelker <jilles stack nl> MFC after: 3 days
2009-05-12 09:22:33 +00:00 · 2009-05-12 09:22:33 +00:00 · ada3b6a9ea
commit ada3b6a9ea
parent ebc90701ac
1 changed files with 7 additions and 2 deletions
--- a/sys/fs/fdescfs/fdesc_vnops.c
+++ b/sys/fs/fdescfs/fdesc_vnops.c
@ -265,7 +265,7 @@ fdesc_lookup(ap)
 	struct thread *td = cnp->cn_thread;
 	struct file *fp;
 	int nlen = cnp->cn_namelen;
-	u_int fd;
+	u_int fd, fd1;
 	int error;
 	struct vnode *fvp;

@ -297,7 +297,12 @@ fdesc_lookup(ap)
 			error = ENOENT;
 			goto bad;
 		}
-		fd = 10 * fd + *pname++ - '0';
+		fd1 = 10 * fd + *pname++ - '0';
+		if (fd1 < fd) {
+			error = ENOENT;
+			goto bad;
+		}
+		fd = fd1;
 	}

 	if ((error = fget(td, fd, &fp)) != 0)