upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

oce: Tighten input validation in the SIOCGI2C handler.

Browse source 
Missing validation meant that it was possible to read 8 bytes beyond
the end of sfp_vpd_dump_buffer.

Reported by:	Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed by:	delphij, ram
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D22859
This commit is contained in:
Mark Johnston 2019-12-18 18:44:16 +00:00
parent 3ab798a100
commit 6e7ecc9a89
1 changed files with 8 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
sys/dev/oce/oce_if.c
View file

@ -593,28 +593,27 @@ oce_ioctl(struct ifnet *ifp, u_long command, caddr_t data)
if (rc)
break;
if (i2c.dev_addr != PAGE_NUM_A0 &&
i2c.dev_addr != PAGE_NUM_A2) {
if (i2c.dev_addr == PAGE_NUM_A0) {
offset = i2c.offset;
} else if (i2c.dev_addr == PAGE_NUM_A2) {
offset = TRANSCEIVER_A0_SIZE + i2c.offset;
} else {
rc = EINVAL;
break;
}
if (i2c.len > sizeof(i2c.data)) {
if (i2c.len > sizeof(i2c.data) ||
i2c.len + offset > sizeof(sfp_vpd_dump_buffer)) {
rc = EINVAL;
break;
}
rc = oce_mbox_read_transrecv_data(sc, i2c.dev_addr);
if(rc) {
if (rc) {
rc = -rc;
break;
}
if (i2c.dev_addr == PAGE_NUM_A0)
offset = i2c.offset;
else
offset = TRANSCEIVER_A0_SIZE + i2c.offset;
memcpy(&i2c.data[0], &sfp_vpd_dump_buffer[offset], i2c.len);
rc = copyout(&i2c, ifr_data_get_ptr(ifr), sizeof(i2c));