svn commit: r350903 - stable/12/sys/fs/nandfs

Mon, 12 Aug 2019 10:25:54 -0700 

Author: emaste
Date: Mon Aug 12 17:25:32 2019
New Revision: 350903
URL: https://svnweb.freebsd.org/changeset/base/350903

Log:
  nandfs: avoid integer overflow in nandfs_get_dat_bdescs_ioctl
  
  nandfs was removed in head in r349352 and in any case was not built by
  default, but address the potential integer overflow in case someone does
  enable it and manages to avoid a panic from other nandfs issues.
  
  admbugs:      815
  Reported by:  Ilja Van Sprundel <ivansprun...@ioactive.com>
  Reviewed by:  imp
  MFC after:    1 week
  Sponsored by: The FreeBSD Foundation
  Differential Revision:        https://reviews.freebsd.org/D21232

Modified:
  stable/12/sys/fs/nandfs/nandfs_dat.c

Modified: stable/12/sys/fs/nandfs/nandfs_dat.c
==============================================================================
--- stable/12/sys/fs/nandfs/nandfs_dat.c        Mon Aug 12 17:18:20 2019        
(r350902)
+++ stable/12/sys/fs/nandfs/nandfs_dat.c        Mon Aug 12 17:25:32 2019        
(r350903)
@@ -298,6 +298,9 @@ nandfs_get_dat_bdescs_ioctl(struct nandfs_device *nffs
        size_t size;
        int error;
 
+       if (nargv->nv_nmembs >= SIZE_MAX / sizeof(struct nandfs_bdesc))
+               return (EINVAL);
+               
        size = nargv->nv_nmembs * sizeof(struct nandfs_bdesc);
        bd = malloc(size, M_NANDFSTEMP, M_WAITOK);
        error = copyin((void *)(uintptr_t)nargv->nv_base, bd, size);
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to