diff options
author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2011-07-12 22:51:22 +0000 |
---|---|---|
committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2011-07-12 22:51:22 +0000 |
commit | d1ea07f85dd1e3b074b99c6ce12f0ce6e0b58d7f (patch) | |
tree | 18b42eb530c00968944212a51cfdb5fa4e20024c | |
parent | 1648ed01f99a5fdb248b03571361865b9a0c4648 (diff) |
Range check vnd_secsize, vnd_ntracks, and vnd_nsectors so that later on
they do not get integer truncated on 64-bit machines.
ok matthew
-rw-r--r-- | sys/dev/vnd.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/sys/dev/vnd.c b/sys/dev/vnd.c index b8b39036fcf..9c30e60a1b5 100644 --- a/sys/dev/vnd.c +++ b/sys/dev/vnd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vnd.c,v 1.146 2011/07/08 20:10:34 matthew Exp $ */ +/* $OpenBSD: vnd.c,v 1.147 2011/07/12 22:51:21 deraadt Exp $ */ /* $NetBSD: vnd.c,v 1.26 1996/03/30 23:06:11 christos Exp $ */ /* @@ -50,6 +50,7 @@ #include <sys/namei.h> #include <sys/proc.h> #include <sys/errno.h> +#include <sys/limits.h> #include <sys/buf.h> #include <sys/malloc.h> #include <sys/ioctl.h> @@ -381,6 +382,12 @@ vndioctl(dev_t dev, u_long cmd, caddr_t addr, int flag, struct proc *p) if (sc->sc_flags & VNF_INITED) return (EBUSY); + /* Geometry eventually has to fit into label fields */ + if (vio->vnd_secsize > UINT_MAX || + vio->vnd_ntracks > UINT_MAX || + vio->vnd_nsectors > UINT_MAX) + return (EINVAL); + if ((error = disk_lock(&sc->sc_dk)) != 0) return (error); @@ -401,7 +408,7 @@ vndioctl(dev_t dev, u_long cmd, caddr_t addr, int flag, struct proc *p) * them. */ NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, vio->vnd_file, p); - sc->sc_flags &= ~VNF_READONLY; + sc->sc_flags &= ~VNF_READONLY; error = vn_open(&nd, FREAD|FWRITE, 0); if (error == EROFS) { sc->sc_flags |= VNF_READONLY; |