Ensure that the supplied data length is large enough to hold the base

FPU state to avoid passing a negative length to fpusetregs() / npxsetregs(). Differential Revision: https://reviews.freebsd.org/D1861 Reviewed by: kib, emaste
2015-02-18 23:34:03 +00:00 · 2015-02-18 23:34:03 +00:00 · 8935302fe1
commit 8935302fe1
parent 9c633deb70
2 changed files with 4 additions and 2 deletions
--- a/sys/amd64/amd64/ptrace_machdep.c
+++ b/sys/amd64/amd64/ptrace_machdep.c
@ -88,7 +88,8 @@ cpu_ptrace_xstate(struct thread *td, int req, void *addr, int data)
 		break;

 	case PT_SETXSTATE:
-		if (data > cpu_max_ext_state_size) {
+		if (data < sizeof(struct savefpu) ||
+		    data > cpu_max_ext_state_size) {
 			error = EINVAL;
 			break;
 		}
--- a/sys/i386/i386/ptrace_machdep.c
+++ b/sys/i386/i386/ptrace_machdep.c
@ -92,7 +92,8 @@ cpu_ptrace_xstate(struct thread *td, int req, void *addr, int data)
 		break;

 	case PT_SETXSTATE:
-		if (data > cpu_max_ext_state_size) {
+		if (data < sizeof(union savefpu) ||
+		    data > cpu_max_ext_state_size) {
 			error = EINVAL;
 			break;
 		}