upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

hptmv(4) Fix potential buffer overflow in hpt_set_info.

Browse source 
While here, adjust some whitespace and yeild some useful debug info.

This is untested on this hardware, testing requests to -scsi went
unanswered.

PR:	206585
Submitted by:	cturt@hardenedbsd.org
MFC after:	2 weeks
This commit is contained in:
Sean Bruno 2016-04-18 23:26:11 +00:00
parent 87ed2b7f5a
commit a0adbb3df1
1 changed files with 11 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
sys/dev/hptmv/hptproc.c
View file

@ -308,7 +308,9 @@ hpt_set_info(int length)
/*
* map buffer to kernel.
*/
if (piop->nInBufferSize+piop->nOutBufferSize > PAGE_SIZE) {
if (piop->nInBufferSize > PAGE_SIZE ||
piop->nOutBufferSize > PAGE_SIZE ||
piop->nInBufferSize+piop->nOutBufferSize > PAGE_SIZE) {
KdPrintE(("User buffer too large\n"));
return -EINVAL;
}
@ -319,8 +321,13 @@ hpt_set_info(int length)
return -EINVAL;
}
if (piop->nInBufferSize)
copyin((void*)(ULONG_PTR)piop->lpInBuffer, ke_area, piop->nInBufferSize);
if (piop->nInBufferSize) {
if (copyin((void*)(ULONG_PTR)piop->lpInBuffer, ke_area, piop->nInBufferSize) != 0) {
KdPrintE(("Failed to copyin from lpInBuffer\n"));
free(ke_area, M_DEVBUF);
return -EFAULT;
}
}
/*
* call kernel handler.
@ -342,7 +349,7 @@ hpt_set_info(int length)
else KdPrintW(("Kernel_ioctl(): return %d\n", err));
free(ke_area, M_DEVBUF);
return -EINVAL;
return -EINVAL;
} else {
KdPrintW(("Wrong signature: %x\n", piop->Magic));
return -EINVAL;