From eae6b3d7742ccb5096c35bc018639c519bce27f6 Mon Sep 17 00:00:00 2001 From: davidcs Date: Fri, 15 Nov 2013 01:44:58 +0000 Subject: [PATCH] Validate the buffer and its length passed to QLA_MPI_DUMP. copyout dump only if qls_mpi_core_dump() is successful. (like to credit x90c for pointing the issue) Submitted by:David C Somayajulu --- sys/dev/qlxge/qls_ioctl.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/sys/dev/qlxge/qls_ioctl.c b/sys/dev/qlxge/qls_ioctl.c index 5afa77631985..6b39fc96781e 100644 --- a/sys/dev/qlxge/qls_ioctl.c +++ b/sys/dev/qlxge/qls_ioctl.c @@ -100,13 +100,16 @@ qls_eioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, if (mpi_dump->size == 0) { mpi_dump->size = sizeof (qls_mpi_coredump_t); } else { - if (mpi_dump->size < sizeof (qls_mpi_coredump_t)) + if ((mpi_dump->size != sizeof (qls_mpi_coredump_t)) || + (mpi_dump->dbuf == NULL)) rval = EINVAL; else { - qls_mpi_core_dump(ha); - rval = copyout( &ql_mpi_coredump, - mpi_dump->dbuf, - mpi_dump->size); + if (qls_mpi_core_dump(ha) == 0) { + rval = copyout(&ql_mpi_coredump, + mpi_dump->dbuf, + mpi_dump->size); + } else + rval = ENXIO; if (rval) { device_printf(ha->pci_dev,