Module Name: src
Committed By: maxv
Date: Fri Apr 4 06:47:02 UTC 2014
Modified Files:
src/sys/kern: vfs_syscalls.c
Log Message:
Limit check for 'data_len'. Otherwise a (un)privileged user can easily
panic the system by passing a huge size.
ok christos@
To generate a diff of this commit:
cvs rdiff -u -r1.477 -r1.478 src/sys/kern/vfs_syscalls.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/vfs_syscalls.c
diff -u src/sys/kern/vfs_syscalls.c:1.477 src/sys/kern/vfs_syscalls.c:1.478
--- src/sys/kern/vfs_syscalls.c:1.477 Sat Mar 22 08:15:25 2014
+++ src/sys/kern/vfs_syscalls.c Fri Apr 4 06:47:02 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: vfs_syscalls.c,v 1.477 2014/03/22 08:15:25 maxv Exp $ */
+/* $NetBSD: vfs_syscalls.c,v 1.478 2014/04/04 06:47:02 maxv Exp $ */
/*-
* Copyright (c) 2008, 2009 The NetBSD Foundation, Inc.
@@ -70,7 +70,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls.c,v 1.477 2014/03/22 08:15:25 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls.c,v 1.478 2014/04/04 06:47:02 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_fileassoc.h"
@@ -485,10 +485,7 @@ do_sys_mount(struct lwp *l, struct vfsop
if (data_len == 0) {
/* No length supplied, use default for filesystem */
data_len = vfsops->vfs_min_mount_data;
- if (data_len > VFS_MAX_MOUNT_DATA) {
- error = EINVAL;
- goto done;
- }
+
/*
* Hopefully a longer buffer won't make copyin() fail.
* For compatibility with 3.0 and earlier.
@@ -497,6 +494,10 @@ do_sys_mount(struct lwp *l, struct vfsop
&& data_len < sizeof (struct mnt_export_args30))
data_len = sizeof (struct mnt_export_args30);
}
+ if (data_len > VFS_MAX_MOUNT_DATA) {
+ error = EINVAL;
+ goto done;
+ }
data_buf = kmem_alloc(data_len, KM_SLEEP);
/* NFS needs the buffer even for mnt_getargs .... */
