summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Gwynne <dlg@cvs.openbsd.org>2010-06-21 13:28:10 +0000
committerDavid Gwynne <dlg@cvs.openbsd.org>2010-06-21 13:28:10 +0000
commitbe46de36488432dff6a1247fbee6546a9f73c2e2 (patch)
treeb9c2d9030999be1fa62d1286b0d65b17ba1e749e
parentd690d63f1787efc4cf8e4389e2a26f31dd6066b4 (diff)
fix an integer arithmetic overflow.
An attacker can get past the ENOMEM check in vscsi_data() by first reading/writing 1 byte and then reading/writing 0xffffffff bytes. found and fixed by matthew dempsky
-rw-r--r--sys/dev/vscsi.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/dev/vscsi.c b/sys/dev/vscsi.c
index d7579b50da5..1a3e37317d3 100644
--- a/sys/dev/vscsi.c
+++ b/sys/dev/vscsi.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: vscsi.c,v 1.10 2010/06/10 05:31:41 armani Exp $ */
+/* $OpenBSD: vscsi.c,v 1.11 2010/06/21 13:28:09 dlg Exp $ */
/*
* Copyright (c) 2008 David Gwynne <dlg@openbsd.org>
@@ -336,7 +336,7 @@ vscsi_data(struct vscsi_softc *sc, struct vscsi_ioc_data *data, int read)
xs = ccb->ccb_xs;
- if (data->datalen + ccb->ccb_datalen > xs->datalen)
+ if (data->datalen > xs->datalen - ccb->ccb_datalen)
return (ENOMEM);
switch (xs->flags & (SCSI_DATA_IN | SCSI_DATA_OUT)) {