Check for overflow and return EINVAL if detected. Backport this and
r300305 to i386. PR: 209661 Reported and reviewed by: cturt Sponsored by: The FreeBSD Foundation MFC after: 3 days
This commit is contained in:
parent
ed372eaa9f
commit
515614230c
@ -344,7 +344,8 @@ amd64_set_ioperm(td, uap)
|
||||
return (error);
|
||||
if ((error = securelevel_gt(td->td_ucred, 0)) != 0)
|
||||
return (error);
|
||||
if (uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY)
|
||||
if (uap->start > uap->start + uap->length ||
|
||||
uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY)
|
||||
return (EINVAL);
|
||||
|
||||
/*
|
||||
|
@ -315,8 +315,9 @@ i386_set_ioperm(td, uap)
|
||||
struct thread *td;
|
||||
struct i386_ioperm_args *uap;
|
||||
{
|
||||
int i, error;
|
||||
char *iomap;
|
||||
u_int i;
|
||||
int error;
|
||||
|
||||
if ((error = priv_check(td, PRIV_IO)) != 0)
|
||||
return (error);
|
||||
@ -334,7 +335,8 @@ i386_set_ioperm(td, uap)
|
||||
return (error);
|
||||
iomap = (char *)td->td_pcb->pcb_ext->ext_iomap;
|
||||
|
||||
if (uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY)
|
||||
if (uap->start > uap->start + uap->length ||
|
||||
uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY)
|
||||
return (EINVAL);
|
||||
|
||||
for (i = uap->start; i < uap->start + uap->length; i++) {
|
||||
|
Loading…
Reference in New Issue
Block a user