From a6d008350d0e5bf875cd4e5558e6c2ed4175cb66 Mon Sep 17 00:00:00 2001 From: Maxim Konovalov Date: Thu, 24 Feb 2005 13:14:41 +0000 Subject: [PATCH] o Move ifcr_count sanity check up and reject negative values before we panic at kmem_alloc() via malloc(9). PR: kern/77748 Submitted by: Wojciech A. Koszek OK'ed by: brooks Security: local DoS, a sample code in the PR. MFC after: 3 days --- sys/net/if_clone.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/sys/net/if_clone.c b/sys/net/if_clone.c index 389896dd0b2..7dd3d599864 100644 --- a/sys/net/if_clone.c +++ b/sys/net/if_clone.c @@ -239,6 +239,9 @@ if_clone_list(struct if_clonereq *ifcr) struct if_clone *ifc; int buf_count, count, err = 0; + if (ifcr->ifcr_count < 0) + return (EINVAL); + IF_CLONERS_LOCK(); /* * Set our internal output buffer size. We could end up not @@ -261,12 +264,6 @@ if_clone_list(struct if_clonereq *ifcr) /* Just asking how many there are. */ goto done; } - - if (ifcr->ifcr_count < 0) { - err = EINVAL; - goto done; - } - count = (if_cloners_count < buf_count) ? if_cloners_count : buf_count;