summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTheo de Raadt <deraadt@cvs.openbsd.org>2011-07-12 22:51:22 +0000
committerTheo de Raadt <deraadt@cvs.openbsd.org>2011-07-12 22:51:22 +0000
commitd1ea07f85dd1e3b074b99c6ce12f0ce6e0b58d7f (patch)
tree18b42eb530c00968944212a51cfdb5fa4e20024c
parent1648ed01f99a5fdb248b03571361865b9a0c4648 (diff)
Range check vnd_secsize, vnd_ntracks, and vnd_nsectors so that later on
they do not get integer truncated on 64-bit machines. ok matthew
-rw-r--r--sys/dev/vnd.c11
1 files changed, 9 insertions, 2 deletions
diff --git a/sys/dev/vnd.c b/sys/dev/vnd.c
index b8b39036fcf..9c30e60a1b5 100644
--- a/sys/dev/vnd.c
+++ b/sys/dev/vnd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: vnd.c,v 1.146 2011/07/08 20:10:34 matthew Exp $ */
+/* $OpenBSD: vnd.c,v 1.147 2011/07/12 22:51:21 deraadt Exp $ */
/* $NetBSD: vnd.c,v 1.26 1996/03/30 23:06:11 christos Exp $ */
/*
@@ -50,6 +50,7 @@
#include <sys/namei.h>
#include <sys/proc.h>
#include <sys/errno.h>
+#include <sys/limits.h>
#include <sys/buf.h>
#include <sys/malloc.h>
#include <sys/ioctl.h>
@@ -381,6 +382,12 @@ vndioctl(dev_t dev, u_long cmd, caddr_t addr, int flag, struct proc *p)
if (sc->sc_flags & VNF_INITED)
return (EBUSY);
+ /* Geometry eventually has to fit into label fields */
+ if (vio->vnd_secsize > UINT_MAX ||
+ vio->vnd_ntracks > UINT_MAX ||
+ vio->vnd_nsectors > UINT_MAX)
+ return (EINVAL);
+
if ((error = disk_lock(&sc->sc_dk)) != 0)
return (error);
@@ -401,7 +408,7 @@ vndioctl(dev_t dev, u_long cmd, caddr_t addr, int flag, struct proc *p)
* them.
*/
NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, vio->vnd_file, p);
- sc->sc_flags &= ~VNF_READONLY;
+ sc->sc_flags &= ~VNF_READONLY;
error = vn_open(&nd, FREAD|FWRITE, 0);
if (error == EROFS) {
sc->sc_flags |= VNF_READONLY;