svn commit: r298231 - head/sys/dev/hptmv

Mon, 18 Apr 2016 16:26:27 -0700 

Author: sbruno
Date: Mon Apr 18 23:26:11 2016
New Revision: 298231
URL: https://svnweb.freebsd.org/changeset/base/298231

Log:
  hptmv(4) Fix potential buffer overflow in hpt_set_info.
  
  While here, adjust some whitespace and yeild some useful debug info.
  
  This is untested on this hardware, testing requests to -scsi went
  unanswered.
  
  PR:   206585
  Submitted by: ct...@hardenedbsd.org
  MFC after:    2 weeks

Modified:
  head/sys/dev/hptmv/hptproc.c

Modified: head/sys/dev/hptmv/hptproc.c
==============================================================================
--- head/sys/dev/hptmv/hptproc.c        Mon Apr 18 23:09:22 2016        
(r298230)
+++ head/sys/dev/hptmv/hptproc.c        Mon Apr 18 23:26:11 2016        
(r298231)
@@ -308,7 +308,9 @@ hpt_set_info(int length)
                        /*
                         * map buffer to kernel.
                         */
-                       if (piop->nInBufferSize+piop->nOutBufferSize > 
PAGE_SIZE) {
+                       if (piop->nInBufferSize > PAGE_SIZE ||
+                               piop->nOutBufferSize > PAGE_SIZE ||
+                               piop->nInBufferSize+piop->nOutBufferSize > 
PAGE_SIZE) {
                                KdPrintE(("User buffer too large\n"));
                                return -EINVAL;
                        }
@@ -319,8 +321,13 @@ hpt_set_info(int length)
                                        return -EINVAL;
                                }
 
-                       if (piop->nInBufferSize)
-                               copyin((void*)(ULONG_PTR)piop->lpInBuffer, 
ke_area, piop->nInBufferSize);
+                       if (piop->nInBufferSize) {
+                               if (copyin((void*)(ULONG_PTR)piop->lpInBuffer, 
ke_area, piop->nInBufferSize) != 0) {
+                                       KdPrintE(("Failed to copyin from 
lpInBuffer\n"));
+                                       free(ke_area, M_DEVBUF);
+                                       return -EFAULT;
+                               }
+                       }
 
                        /*
                          * call kernel handler.
@@ -342,7 +349,7 @@ hpt_set_info(int length)
                        else  KdPrintW(("Kernel_ioctl(): return %d\n", err));
 
                        free(ke_area, M_DEVBUF);
-                       return -EINVAL;
+                       return -EINVAL;
                } else  {
                KdPrintW(("Wrong signature: %x\n", piop->Magic));
                return -EINVAL;
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to