Module Name: src Committed By: maxv Date: Fri Apr 4 06:47:02 UTC 2014
Modified Files: src/sys/kern: vfs_syscalls.c Log Message: Limit check for 'data_len'. Otherwise a (un)privileged user can easily panic the system by passing a huge size. ok christos@ To generate a diff of this commit: cvs rdiff -u -r1.477 -r1.478 src/sys/kern/vfs_syscalls.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/kern/vfs_syscalls.c diff -u src/sys/kern/vfs_syscalls.c:1.477 src/sys/kern/vfs_syscalls.c:1.478 --- src/sys/kern/vfs_syscalls.c:1.477 Sat Mar 22 08:15:25 2014 +++ src/sys/kern/vfs_syscalls.c Fri Apr 4 06:47:02 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: vfs_syscalls.c,v 1.477 2014/03/22 08:15:25 maxv Exp $ */ +/* $NetBSD: vfs_syscalls.c,v 1.478 2014/04/04 06:47:02 maxv Exp $ */ /*- * Copyright (c) 2008, 2009 The NetBSD Foundation, Inc. @@ -70,7 +70,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls.c,v 1.477 2014/03/22 08:15:25 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls.c,v 1.478 2014/04/04 06:47:02 maxv Exp $"); #ifdef _KERNEL_OPT #include "opt_fileassoc.h" @@ -485,10 +485,7 @@ do_sys_mount(struct lwp *l, struct vfsop if (data_len == 0) { /* No length supplied, use default for filesystem */ data_len = vfsops->vfs_min_mount_data; - if (data_len > VFS_MAX_MOUNT_DATA) { - error = EINVAL; - goto done; - } + /* * Hopefully a longer buffer won't make copyin() fail. * For compatibility with 3.0 and earlier. @@ -497,6 +494,10 @@ do_sys_mount(struct lwp *l, struct vfsop && data_len < sizeof (struct mnt_export_args30)) data_len = sizeof (struct mnt_export_args30); } + if (data_len > VFS_MAX_MOUNT_DATA) { + error = EINVAL; + goto done; + } data_buf = kmem_alloc(data_len, KM_SLEEP); /* NFS needs the buffer even for mnt_getargs .... */