upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

cfi: check for inter overflow in cfi_devioctl

Browse source 
Reported by:    Pietro Oliva
Reviewed by:	markj
MFC after:	3 days
Security:	Possible OOB read in root-only ioctl
Sponsored by:	The FreeBSD Foundation
This commit is contained in:
Ed Maste 2019-11-25 21:21:37 +00:00
parent 735c001b6b
commit 985d08fe52
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
sys/dev/cfi/cfi_dev.c
View file

@ -280,7 +280,8 @@ cfi_devioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag,
rq = (struct cfiocqry *)data;
if (rq->offset >= sc->sc_size / sc->sc_width)
return (ESPIPE);
if (rq->offset + rq->count > sc->sc_size / sc->sc_width)
if (rq->offset > ULONG_MAX - rq->count ||
rq->offset + rq->count > sc->sc_size / sc->sc_width)
return (ENOSPC);
while (!error && rq->count--) {