Check for lengths being <= 0. Note that this interface can only

be accessed by root. It uses unsigned ints instead of size_t to preserve the ABI. PR: 207627 Submitted by: ryan@ryanday.net (with slight tweaks) MFC after: 1 month
2016-11-03 10:11:59 +00:00 · 2016-11-03 10:11:59 +00:00 · e8e5471317
commit e8e5471317
parent d0dec3458f
2 changed files with 21 additions and 8 deletions
--- a/sys/cam/ctl/ctl.c
+++ b/sys/cam/ctl/ctl.c
@ -2370,7 +2370,7 @@ ctl_ioctl_fill_ooa(struct ctl_lun *lun, uint32_t *cur_fill_num,
 }

 static void *
-ctl_copyin_alloc(void *user_addr, int len, char *error_str,
+ctl_copyin_alloc(void *user_addr, unsigned int len, char *error_str,
 		 size_t error_str_len)
 {
 	void *kptr;
@ -2425,6 +2425,12 @@ ctl_copyin_args(int num_args, struct ctl_be_arg *uargs,
 	for (i = 0; i < num_args; i++) {
 		uint8_t *tmpptr;

+		if (args[i].namelen == 0) {
+			snprintf(error_str, error_str_len, "Argument %d "
+				 "name length is zero", i);
+			goto bailout;
+		}
+
 		args[i].kname = ctl_copyin_alloc(args[i].name,
 			args[i].namelen, error_str, error_str_len);
 		if (args[i].kname == NULL)
@ -2437,10 +2443,17 @@ ctl_copyin_args(int num_args, struct ctl_be_arg *uargs,
 		}

 		if (args[i].flags & CTL_BEARG_RD) {
+			if (args[i].vallen == 0) {
+				snprintf(error_str, error_str_len, "Argument %d "
+					 "value length is zero", i);
+				goto bailout;
+			}
+
 			tmpptr = ctl_copyin_alloc(args[i].value,
 				args[i].vallen, error_str, error_str_len);
 			if (tmpptr == NULL)
 				goto bailout;
+
 			if ((args[i].flags & CTL_BEARG_ASCII)
 			 && (tmpptr[args[i].vallen - 1] != '\0')) {
 				snprintf(error_str, error_str_len, "Argument "
--- a/sys/cam/ctl/ctl_ioctl.h
+++ b/sys/cam/ctl/ctl_ioctl.h
@ -317,20 +317,20 @@ typedef enum {
 *
 * flags:	Flags for the parameter, see above for values.
 *
- * vallen:	Length of the value in bytes.
+ * vallen:	Length of the value in bytes, including the terminating NUL.
 *
- * value:	Value to be set/fetched.
+ * value:	Value to be set/fetched. This must be NUL-terminated.
 *
 * kname:	For kernel use only.
 *
 * kvalue:	For kernel use only.
 */
 struct ctl_be_arg {
-	int	namelen;
-	char	*name;
-	int	flags;
-	int	vallen;
-	void	*value;
+	unsigned int	namelen;
+	char		*name;
+	int		flags;
+	unsigned int	vallen;
+	void		*value;

 	char	*kname;
 	void	*kvalue;