Author: trociny
Date: Sun Apr 10 15:21:46 2011
New Revision: 220522
URL: http://svn.freebsd.org/changeset/base/220522
Log:
In hast_proto_recv_data() check that the size of the data to be
received does not exceed the buffer size.
Approved by: pjd (mentor)
MFC after: 1 week
Modified:
head/sbin/hastd/hast_proto.c
Modified: head/sbin/hastd/hast_proto.c
==============================================================================
--- head/sbin/hastd/hast_proto.c Sun Apr 10 15:11:19 2011
(r220521)
+++ head/sbin/hastd/hast_proto.c Sun Apr 10 15:21:46 2011
(r220522)
@@ -189,9 +189,12 @@ hast_proto_recv_data(const struct hast_r
dptr = data;
dsize = nv_get_uint32(nv, "size");
- if (dsize == 0)
+ if (dsize > size) {
+ errno = EINVAL;
+ goto end;
+ } else if (dsize == 0) {
(void)nv_set_error(nv, 0);
- else {
+ } else {
if (proto_recv(conn, data, dsize) < 0)
goto end;
for (ii = sizeof(pipeline) / sizeof(pipeline[0]); ii > 0;
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "[email protected]"
