From 6e7ecc9a89936ac8c19dfb3a8e6abe5669753c1d Mon Sep 17 00:00:00 2001 From: Mark Johnston Date: Wed, 18 Dec 2019 18:44:16 +0000 Subject: [PATCH] oce: Tighten input validation in the SIOCGI2C handler. Missing validation meant that it was possible to read 8 bytes beyond the end of sfp_vpd_dump_buffer. Reported by: Ilja Van Sprundel Reviewed by: delphij, ram MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D22859 --- sys/dev/oce/oce_if.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/sys/dev/oce/oce_if.c b/sys/dev/oce/oce_if.c index 14ca24086bb..a826b0528b2 100644 --- a/sys/dev/oce/oce_if.c +++ b/sys/dev/oce/oce_if.c @@ -593,28 +593,27 @@ oce_ioctl(struct ifnet *ifp, u_long command, caddr_t data) if (rc) break; - if (i2c.dev_addr != PAGE_NUM_A0 && - i2c.dev_addr != PAGE_NUM_A2) { + if (i2c.dev_addr == PAGE_NUM_A0) { + offset = i2c.offset; + } else if (i2c.dev_addr == PAGE_NUM_A2) { + offset = TRANSCEIVER_A0_SIZE + i2c.offset; + } else { rc = EINVAL; break; } - if (i2c.len > sizeof(i2c.data)) { + if (i2c.len > sizeof(i2c.data) || + i2c.len + offset > sizeof(sfp_vpd_dump_buffer)) { rc = EINVAL; break; } rc = oce_mbox_read_transrecv_data(sc, i2c.dev_addr); - if(rc) { + if (rc) { rc = -rc; break; } - if (i2c.dev_addr == PAGE_NUM_A0) - offset = i2c.offset; - else - offset = TRANSCEIVER_A0_SIZE + i2c.offset; - memcpy(&i2c.data[0], &sfp_vpd_dump_buffer[offset], i2c.len); rc = copyout(&i2c, ifr_data_get_ptr(ifr), sizeof(i2c));