Add additional range checks for copyout targets.

Submitted by: Silvio Cesare <silvio@qualys.com>
2002-08-09 05:50:32 +00:00 · 2002-08-09 05:50:32 +00:00 · 1bb6530f3e
commit 1bb6530f3e
parent 3cb4683ef0
2 changed files with 5 additions and 1 deletions
--- a/sys/i386/isa/vesa.c
+++ b/sys/i386/isa/vesa.c
@ -1330,7 +1330,9 @@ get_palette(video_adapter_t *adp, int base, int count,
 	int bits;
 	int error;

-	if ((base < 0) || (base >= 256) || (base + count > 256))
+	if ((base < 0) || (base >= 256) || (count < 0) || (count > 256))
+		return 1;
+	if ((base + count) > 256)
 		return 1;
 	if (!(vesa_adp_info->v_flags & V_DAC8) || !VESA_MODE(adp->va_mode))
 		return 1;
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@ -256,6 +256,8 @@ accept1(td, uap, compat)
 		error = copyin(uap->anamelen, &namelen, sizeof (namelen));
 		if(error)
 			goto done2;
+		if (namelen < 0)
+			return (EINVAL);
 	}
 	error = fgetsock(td, uap->s, &head, &fflag);
 	if (error)