Module Name: src
Committed By: christos
Date: Tue Jul 20 17:26:04 UTC 2010
Modified Files:
src/sys/coda: coda.h coda_venus.c coda_vnops.c
Log Message:
Correct incomplete size checks for the coda ioctls. From Dan Rosenberg.
To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.16 src/sys/coda/coda.h
cvs rdiff -u -r1.27 -r1.28 src/sys/coda/coda_venus.c
cvs rdiff -u -r1.75 -r1.76 src/sys/coda/coda_vnops.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/coda/coda.h
diff -u src/sys/coda/coda.h:1.15 src/sys/coda/coda.h:1.16
--- src/sys/coda/coda.h:1.15 Mon Sep 28 06:51:35 2009
+++ src/sys/coda/coda.h Tue Jul 20 13:26:03 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: coda.h,v 1.15 2009/09/28 10:51:35 blymn Exp $ */
+/* $NetBSD: coda.h,v 1.16 2010/07/20 17:26:03 christos Exp $ */
/*
@@ -793,8 +793,8 @@
#define PIOCPARM_MASK 0x0000ffff
struct ViceIoctl {
void *in, *out; /* Data to be transferred in, or out */
- short in_size; /* Size of input buffer <= 2K */
- short out_size; /* Maximum size of output buffer, <= 2K */
+ unsigned short in_size; /* Size of input buffer <= 2K */
+ unsigned short out_size;/* Maximum size of output buffer, <= 2K */
};
struct PioctlData {
Index: src/sys/coda/coda_venus.c
diff -u src/sys/coda/coda_venus.c:1.27 src/sys/coda/coda_venus.c:1.28
--- src/sys/coda/coda_venus.c:1.27 Sat Apr 18 10:58:02 2009
+++ src/sys/coda/coda_venus.c Tue Jul 20 13:26:03 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: coda_venus.c,v 1.27 2009/04/18 14:58:02 tsutsui Exp $ */
+/* $NetBSD: coda_venus.c,v 1.28 2010/07/20 17:26:03 christos Exp $ */
/*
*
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: coda_venus.c,v 1.27 2009/04/18 14:58:02 tsutsui Exp $");
+__KERNEL_RCSID(0, "$NetBSD: coda_venus.c,v 1.28 2010/07/20 17:26:03 christos Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -308,7 +308,7 @@
tmp = ((com >> 16) & IOCPARM_MASK) - sizeof (char *) - sizeof (int);
inp->cmd |= (tmp & IOCPARM_MASK) << 16;
- if (iap->vi.in_size < 0 || iap->vi.in_size > VC_MAXMSGSIZE) {
+ if (iap->vi.in_size > VC_MAXMSGSIZE || iap->vi.out_size > VC_MAXMSGSIZE) {
CODA_FREE(inp, coda_ioctl_size);
return (EINVAL);
}
Index: src/sys/coda/coda_vnops.c
diff -u src/sys/coda/coda_vnops.c:1.75 src/sys/coda/coda_vnops.c:1.76
--- src/sys/coda/coda_vnops.c:1.75 Thu Jul 1 09:00:54 2010
+++ src/sys/coda/coda_vnops.c Tue Jul 20 13:26:03 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: coda_vnops.c,v 1.75 2010/07/01 13:00:54 hannken Exp $ */
+/* $NetBSD: coda_vnops.c,v 1.76 2010/07/20 17:26:03 christos Exp $ */
/*
*
@@ -46,7 +46,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: coda_vnops.c,v 1.75 2010/07/01 13:00:54 hannken Exp $");
+__KERNEL_RCSID(0, "$NetBSD: coda_vnops.c,v 1.76 2010/07/20 17:26:03 christos Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -539,7 +539,7 @@
return(EINVAL);
}
- if (iap->vi.in_size > VC_MAXDATASIZE) {
+ if (iap->vi.in_size > VC_MAXDATASIZE || iap->vi.out_size > VC_MAXDATASIZE) {
vrele(tvp);
return(EINVAL);
}
