diff options
author | David Gwynne <dlg@cvs.openbsd.org> | 2010-06-21 13:28:10 +0000 |
---|---|---|
committer | David Gwynne <dlg@cvs.openbsd.org> | 2010-06-21 13:28:10 +0000 |
commit | be46de36488432dff6a1247fbee6546a9f73c2e2 (patch) | |
tree | b9c2d9030999be1fa62d1286b0d65b17ba1e749e | |
parent | d690d63f1787efc4cf8e4389e2a26f31dd6066b4 (diff) |
fix an integer arithmetic overflow.
An attacker can get past the ENOMEM check in vscsi_data() by first
reading/writing 1 byte and then reading/writing 0xffffffff bytes.
found and fixed by matthew dempsky
-rw-r--r-- | sys/dev/vscsi.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/dev/vscsi.c b/sys/dev/vscsi.c index d7579b50da5..1a3e37317d3 100644 --- a/sys/dev/vscsi.c +++ b/sys/dev/vscsi.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vscsi.c,v 1.10 2010/06/10 05:31:41 armani Exp $ */ +/* $OpenBSD: vscsi.c,v 1.11 2010/06/21 13:28:09 dlg Exp $ */ /* * Copyright (c) 2008 David Gwynne <dlg@openbsd.org> @@ -336,7 +336,7 @@ vscsi_data(struct vscsi_softc *sc, struct vscsi_ioc_data *data, int read) xs = ccb->ccb_xs; - if (data->datalen + ccb->ccb_datalen > xs->datalen) + if (data->datalen > xs->datalen - ccb->ccb_datalen) return (ENOMEM); switch (xs->flags & (SCSI_DATA_IN | SCSI_DATA_OUT)) { |