Properly sanity-check the old msgbuf structure before we accept it
as being valid. Previously only the magic number and the virtual address were checked, but it makes little sense to require that the virtual address is the same (the message buffer is located at the end of physical memory), and checks on the msg_bufx and msg_bufr indices were missing. Submitted by: Bodo Rueskamp <br@clabsms.de> Tripped over during a kernel debugging tutorial given by: grog Reviewed by: grog, dwmalone MFC after: 1 week
This commit is contained in:
iedowse
parent
d061342650
commit
8122c9fcb4
@ -802,14 +802,17 @@ msgbufinit(void *ptr, size_t size)
|
||||
char *cp;
|
||||
static struct msgbuf *oldp = NULL;
|
||||
|
||||
size -= sizeof(*msgbufp);
|
||||
cp = (char *)ptr;
|
||||
msgbufp = (struct msgbuf *) (cp + size - sizeof(*msgbufp));
|
||||
if (msgbufp->msg_magic != MSG_MAGIC || msgbufp->msg_ptr != cp) {
|
||||
msgbufp = (struct msgbuf *) (cp + size);
|
||||
if (msgbufp->msg_magic != MSG_MAGIC || msgbufp->msg_size != size ||
|
||||
msgbufp->msg_bufx >= size || msgbufp->msg_bufr >= size) {
|
||||
bzero(cp, size);
|
||||
bzero(msgbufp, sizeof(*msgbufp));
|
||||
msgbufp->msg_magic = MSG_MAGIC;
|
||||
msgbufp->msg_size = (char *)msgbufp - cp;
|
||||
msgbufp->msg_ptr = cp;
|
||||
}
|
||||
msgbufp->msg_ptr = cp;
|
||||
if (msgbufmapped && oldp != msgbufp)
|
||||
msgbufcopy(oldp);
|
||||
msgbufmapped = 1;
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user