Author: kib
Date: Fri May 15 10:45:52 2009
New Revision: 192140
URL: http://svn.freebsd.org/changeset/base/192140
Log:
MFC r192012:
Return controlled EINVAL when the fdescfs lookup routine is given string
representing too large integer, instead of overflowing and possibly
returning a random but valid vnode.
Modified:
stable/7/sys/ (props changed)
stable/7/sys/contrib/pf/ (props changed)
stable/7/sys/dev/ath/ath_hal/ (props changed)
stable/7/sys/dev/cxgb/ (props changed)
stable/7/sys/fs/fdescfs/fdesc_vnops.c
Modified: stable/7/sys/fs/fdescfs/fdesc_vnops.c
==============================================================================
--- stable/7/sys/fs/fdescfs/fdesc_vnops.c Fri May 15 10:11:54 2009
(r192139)
+++ stable/7/sys/fs/fdescfs/fdesc_vnops.c Fri May 15 10:45:52 2009
(r192140)
@@ -264,7 +264,7 @@ fdesc_lookup(ap)
struct thread *td = cnp->cn_thread;
struct file *fp;
int nlen = cnp->cn_namelen;
- u_int fd;
+ u_int fd, fd1;
int error;
struct vnode *fvp;
@@ -296,7 +296,12 @@ fdesc_lookup(ap)
error = ENOENT;
goto bad;
}
- fd = 10 * fd + *pname++ - '0';
+ fd1 = 10 * fd + *pname++ - '0';
+ if (fd1 < fd) {
+ error = ENOENT;
+ goto bad;
+ }
+ fd = fd1;
}
if ((error = fget(td, fd, &fp)) != 0)
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
