upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

sound: Check user-supplied size passed to SNDSTIOC_ADD_USER_DEVS*

Browse source 
SNDSTIOC_ADD_USER_DEVS* expects a user-supplied sndstioc_nv_arg->nbytes,
however we currently do not check whether this size is actually valid,
which results in a panic when SNDSTIOC_ADD_USER_DEVS* is called with an
invalid size. sndstat_add_user_devs() calls
sndstat_unpack_user_nvlbuf(), which then calls malloc() with that size.

PR:		266142
Sponsored by:	The FreeBSD Foundation
MFC after:	1 day
Reviewed by:	brooks
Differential Revision:	https://reviews.freebsd.org/D45236

(cherry picked from commit 074d337ad618f9cc2a1d5ab18b484928e57bd72b)
(cherry picked from commit 5830a00c2c)

Approved by:	re (cperciva)
This commit is contained in:
Christos Margiolis 2024-05-20 16:18:28 +02:00
parent 5a9a2f5eed
commit 18f80d6d46
2 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
sys/dev/sound/pcm/sndstat.c
View file

@ -865,6 +865,11 @@ sndstat_add_user_devs(struct sndstat_file *pf, caddr_t data)
goto done;
}
if (arg->nbytes > SNDST_UNVLBUF_MAX) {
err = ENOMEM;
goto done;
}
err = sndstat_unpack_user_nvlbuf(arg->buf, arg->nbytes, &nvl);
if (err != 0)
goto done;

5
sys/sys/sndstat.h
View file

@ -74,6 +74,11 @@ struct sndstioc_nv_arg {
#define SNDST_DSPS_SOUND4_PVCHAN "pvchan"
#define SNDST_DSPS_SOUND4_RVCHAN "rvchan"
/*
* Maximum user-specified nvlist buffer size
*/
#define SNDST_UNVLBUF_MAX 65535
#define SNDSTIOC_REFRESH_DEVS \
_IO('D', 100)
#define SNDSTIOC_GET_DEVS \