diff options
| author | Todd C. Miller <millert@cvs.openbsd.org> | 2001-09-16 00:42:45 +0000 |
|---|---|---|
| committer | Todd C. Miller <millert@cvs.openbsd.org> | 2001-09-16 00:42:45 +0000 |
| commit | dcf53c92ea15715a4406b9230a1c68943501ffb2 (patch) | |
| tree | 1d6ac3cb6ae47126af1dc54f4f0f5bac7afc49b7 | |
| parent | 3b1414ef904bbd7e35b23fc1509a3ea20e822cae (diff) | |
Add some missing lengths checks when passing data from userland to
kernel. From based on NetBSD patches.
| -rw-r--r-- | sys/arch/alpha/include/fbio.h | 6 | ||||
| -rw-r--r-- | sys/arch/sparc/dev/cgtwo.c | 8 | ||||
| -rw-r--r-- | sys/arch/sparc/include/fbio.h | 6 | ||||
| -rw-r--r-- | sys/arch/sun3/dev/cg2.c | 8 | ||||
| -rw-r--r-- | sys/arch/sun3/include/fbio.h | 6 | ||||
| -rw-r--r-- | sys/dev/ccdvar.h | 7 | ||||
| -rw-r--r-- | sys/dev/pci/tga.c | 8 | ||||
| -rw-r--r-- | sys/dev/wscons/wsconsio.h | 6 | ||||
| -rw-r--r-- | sys/dev/wscons/wsdisplay.c | 13 | ||||
| -rw-r--r-- | sys/dev/wscons/wskbd.c | 4 | ||||
| -rw-r--r-- | sys/kern/vfs_subr.c | 4 | ||||
| -rw-r--r-- | sys/miscfs/umapfs/umap_vfsops.c | 7 | ||||
| -rw-r--r-- | sys/net/if_ppp.c | 5 | ||||
| -rw-r--r-- | sys/nfs/nfs.h | 6 |
14 files changed, 58 insertions, 36 deletions
diff --git a/sys/arch/alpha/include/fbio.h b/sys/arch/alpha/include/fbio.h index bce6db8ba24..b72df82a767 100644 --- a/sys/arch/alpha/include/fbio.h +++ b/sys/arch/alpha/include/fbio.h @@ -1,4 +1,4 @@ -/* $OpenBSD: fbio.h,v 1.3 1996/10/30 22:39:04 niklas Exp $ */ +/* $OpenBSD: fbio.h,v 1.4 2001/09/16 00:42:44 millert Exp $ */ /* $NetBSD: fbio.h,v 1.3 1996/08/23 00:50:25 cgd Exp $ */ /* @@ -94,8 +94,8 @@ struct fbinfo { * Color map I/O. */ struct fbcmap { - int index; /* first element (0 origin) */ - int count; /* number of elements */ + u_int index; /* first element (0 origin) */ + u_int count; /* number of elements */ u_char *red; /* red color map elements */ u_char *green; /* green color map elements */ u_char *blue; /* blue color map elements */ diff --git a/sys/arch/sparc/dev/cgtwo.c b/sys/arch/sparc/dev/cgtwo.c index 226ac6dd77e..9cdbe59a1fc 100644 --- a/sys/arch/sparc/dev/cgtwo.c +++ b/sys/arch/sparc/dev/cgtwo.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cgtwo.c,v 1.15 2001/08/17 13:52:28 mickey Exp $ */ +/* $OpenBSD: cgtwo.c,v 1.16 2001/09/16 00:42:44 millert Exp $ */ /* $NetBSD: cgtwo.c,v 1.22 1997/05/24 20:16:12 pk Exp $ */ /* @@ -333,7 +333,8 @@ cgtwogetcmap(sc, cmap) register struct fbcmap *cmap; { u_char red[CG2_CMSIZE], green[CG2_CMSIZE], blue[CG2_CMSIZE]; - int error, start, count, ecount; + int error; + u_int start, count, ecount; register u_int i; register volatile u_short *p; @@ -375,7 +376,8 @@ cgtwoputcmap(sc, cmap) register struct fbcmap *cmap; { u_char red[CG2_CMSIZE], green[CG2_CMSIZE], blue[CG2_CMSIZE]; - int error, start, count, ecount; + int error; + u_int start, count, ecount; register u_int i; register volatile u_short *p; diff --git a/sys/arch/sparc/include/fbio.h b/sys/arch/sparc/include/fbio.h index babb49dea1b..2ae9149767e 100644 --- a/sys/arch/sparc/include/fbio.h +++ b/sys/arch/sparc/include/fbio.h @@ -1,4 +1,4 @@ -/* $OpenBSD: fbio.h,v 1.3 1997/08/08 08:26:17 downsj Exp $ */ +/* $OpenBSD: fbio.h,v 1.4 2001/09/16 00:42:44 millert Exp $ */ /* $NetBSD: fbio.h,v 1.5 1996/09/30 23:45:11 abrown Exp $ */ /* @@ -107,8 +107,8 @@ struct fbinfo { * Color map I/O. */ struct fbcmap { - int index; /* first element (0 origin) */ - int count; /* number of elements */ + u_int index; /* first element (0 origin) */ + u_int count; /* number of elements */ u_char *red; /* red color map elements */ u_char *green; /* green color map elements */ u_char *blue; /* blue color map elements */ diff --git a/sys/arch/sun3/dev/cg2.c b/sys/arch/sun3/dev/cg2.c index aaed1f3412d..884934c33cc 100644 --- a/sys/arch/sun3/dev/cg2.c +++ b/sys/arch/sun3/dev/cg2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cg2.c,v 1.6 1997/01/16 04:03:43 kstailey Exp $ */ +/* $OpenBSD: cg2.c,v 1.7 2001/09/16 00:42:44 millert Exp $ */ /* $NetBSD: cg2.c,v 1.7 1996/10/13 03:47:26 christos Exp $ */ /* @@ -306,7 +306,8 @@ cg2getcmap(fb, cmap) { struct cg2_softc *sc = fb->fb_private; u_char red[CMSIZE], green[CMSIZE], blue[CMSIZE]; - int error, start, count, ecount; + int error; + u_int start, count, ecount; register u_int i; register u_short *p; @@ -348,7 +349,8 @@ cg2putcmap(fb, cmap) { struct cg2_softc *sc = fb->fb_private; u_char red[CMSIZE], green[CMSIZE], blue[CMSIZE]; - int error, start, count, ecount; + int error; + u_int start, count, ecount; register u_int i; register u_short *p; diff --git a/sys/arch/sun3/include/fbio.h b/sys/arch/sun3/include/fbio.h index d5352e84c40..511daa3b24b 100644 --- a/sys/arch/sun3/include/fbio.h +++ b/sys/arch/sun3/include/fbio.h @@ -1,4 +1,4 @@ -/* $OpenBSD: fbio.h,v 1.2 1997/09/21 04:21:09 niklas Exp $ */ +/* $OpenBSD: fbio.h,v 1.3 2001/09/16 00:42:44 millert Exp $ */ /* $NetBSD: fbio.h,v 1.3 1994/11/21 21:33:40 gwr Exp $ */ /* @@ -105,8 +105,8 @@ struct fbinfo { * Color map I/O. */ struct fbcmap { - int index; /* first element (0 origin) */ - int count; /* number of elements */ + u_int index; /* first element (0 origin) */ + u_int count; /* number of elements */ u_char *red; /* red color map elements */ u_char *green; /* green color map elements */ u_char *blue; /* blue color map elements */ diff --git a/sys/dev/ccdvar.h b/sys/dev/ccdvar.h index 20e5b5098a3..08c54bf91c0 100644 --- a/sys/dev/ccdvar.h +++ b/sys/dev/ccdvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ccdvar.h,v 1.4 1997/11/26 22:30:19 niklas Exp $ */ +/* $OpenBSD: ccdvar.h,v 1.5 2001/09/16 00:42:44 millert Exp $ */ /* $NetBSD: ccdvar.h,v 1.11 1996/02/28 01:08:32 thorpej Exp $ */ /*- @@ -105,7 +105,7 @@ struct ccddevice { */ struct ccd_ioctl { char **ccio_disks; /* pointer to component paths */ - int ccio_ndisks; /* number of disks to concatenate */ + u_int ccio_ndisks; /* number of disks to concatenate */ int ccio_ileave; /* interleave (DEV_BSIZE blocks) */ int ccio_flags; /* misc. information */ int ccio_unit; /* unit number: use varies */ @@ -185,7 +185,8 @@ struct ccd_softc { int sc_cflags; /* configuration flags */ size_t sc_size; /* size of ccd */ int sc_ileave; /* interleave */ - int sc_nccdisks; /* number of components */ +#define CCD_MAXNDISKS 65536 + u_int sc_nccdisks; /* number of components */ struct ccdcinfo *sc_cinfo; /* component info */ struct ccdiinfo *sc_itable; /* interleave table */ struct ccdgeom sc_geom; /* pseudo geometry info */ diff --git a/sys/dev/pci/tga.c b/sys/dev/pci/tga.c index 23b8c7a4b7b..e5addd7b0b6 100644 --- a/sys/dev/pci/tga.c +++ b/sys/dev/pci/tga.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tga.c,v 1.8 2001/08/25 10:13:30 art Exp $ */ +/* $OpenBSD: tga.c,v 1.9 2001/09/16 00:42:44 millert Exp $ */ /* $NetBSD: tga.c,v 1.31 2001/02/11 19:34:58 nathanw Exp $ */ /* @@ -831,7 +831,8 @@ tga_builtin_set_cursor(dc, cursorp) { struct ramdac_funcs *dcrf = dc->dc_ramdac_funcs; struct ramdac_cookie *dcrc = dc->dc_ramdac_cookie; - int count, error, v; + u_int count, v; + int error; v = cursorp->which; if (v & WSDISPLAY_CURSOR_DOCMAP) { @@ -886,7 +887,8 @@ tga_builtin_get_cursor(dc, cursorp) { struct ramdac_funcs *dcrf = dc->dc_ramdac_funcs; struct ramdac_cookie *dcrc = dc->dc_ramdac_cookie; - int count, error; + int error; + u_int count; cursorp->which = WSDISPLAY_CURSOR_DOALL & ~(WSDISPLAY_CURSOR_DOHOT | WSDISPLAY_CURSOR_DOCMAP); diff --git a/sys/dev/wscons/wsconsio.h b/sys/dev/wscons/wsconsio.h index f942e0b8aa8..a2f7dcbfd34 100644 --- a/sys/dev/wscons/wsconsio.h +++ b/sys/dev/wscons/wsconsio.h @@ -1,4 +1,4 @@ -/* $OpenBSD: wsconsio.h,v 1.12 2001/08/29 20:20:26 mickey Exp $ */ +/* $OpenBSD: wsconsio.h,v 1.13 2001/09/16 00:42:44 millert Exp $ */ /* $NetBSD: wsconsio.h,v 1.31.2.1 2000/07/07 09:49:17 hannken Exp $ */ /* @@ -148,6 +148,7 @@ struct wskbd_keyrepeat_data { /* Manipulate keysym groups. */ struct wskbd_map_data { u_int maplen; /* number of entries in map */ +#define WSKBDIO_MAXMAPLEN 65536 struct wscons_keymap *map; /* map to get or set */ }; #define WSKBDIO_GETMAP _IOWR('W', 13, struct wskbd_map_data) @@ -314,7 +315,8 @@ struct wsdisplay_font { #define WSDISPLAY_FONTENC_PCVT 2 #define WSDISPLAY_FONTENC_ISO7 3 /* greek */ #define WSDISPLAY_FONTENC_SONY 4 - int fontwidth, fontheight, stride; + u_int fontwidth, fontheight, stride; +#define WSDISPLAY_MAXFONTSZ (512*1024) int bitorder, byteorder; #define WSDISPLAY_FONTORDER_KNOWN 0 /* i.e, no need to convert */ #define WSDISPLAY_FONTORDER_L2R 1 diff --git a/sys/dev/wscons/wsdisplay.c b/sys/dev/wscons/wsdisplay.c index fefd6276899..98ac84e3f1c 100644 --- a/sys/dev/wscons/wsdisplay.c +++ b/sys/dev/wscons/wsdisplay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: wsdisplay.c,v 1.33 2001/08/29 20:26:18 mickey Exp $ */ +/* $OpenBSD: wsdisplay.c,v 1.34 2001/09/16 00:42:44 millert Exp $ */ /* $NetBSD: wsdisplay.c,v 1.37.4.1 2000/06/30 16:27:53 simonb Exp $ */ /* @@ -1156,6 +1156,7 @@ wsdisplay_cfg_ioctl(sc, cmd, data, flag, p) { int error; void *buf; + size_t fontsz; #if defined(COMPAT_14) && NWSKBD > 0 struct wsmux_device wsmuxdata; #endif @@ -1186,10 +1187,12 @@ wsdisplay_cfg_ioctl(sc, cmd, data, flag, p) return (EINVAL); if (d->index >= WSDISPLAY_MAXFONT) return (EINVAL); - buf = malloc(d->fontheight * d->stride * d->numchars, - M_DEVBUF, M_WAITOK); - error = copyin(d->data, buf, - d->fontheight * d->stride * d->numchars); + fontsz = d->fontheight * d->stride * d->numchars; + if (fontsz > WSDISPLAY_MAXFONTSZ) + return (EINVAL); + + buf = malloc(fontsz, M_DEVBUF, M_WAITOK); + error = copyin(d->data, buf, fontsz); if (error) { free(buf, M_DEVBUF); return (error); diff --git a/sys/dev/wscons/wskbd.c b/sys/dev/wscons/wskbd.c index 17d34c3ee81..8d851d1384b 100644 --- a/sys/dev/wscons/wskbd.c +++ b/sys/dev/wscons/wskbd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: wskbd.c,v 1.23 2001/06/11 22:48:14 mickey Exp $ */ +/* $OpenBSD: wskbd.c,v 1.24 2001/09/16 00:42:44 millert Exp $ */ /* $NetBSD: wskbd.c,v 1.38 2000/03/23 07:01:47 thorpej Exp $ */ /* @@ -985,6 +985,8 @@ getkeyrepeat: if ((flag & FWRITE) == 0) return (EACCES); umdp = (struct wskbd_map_data *)data; + if (umdp->maplen > WSKBDIO_MAXMAPLEN) + return (EINVAL); len = umdp->maplen*sizeof(struct wscons_keymap); buf = malloc(len, M_TEMP, M_WAITOK); error = copyin(umdp->map, buf, len); diff --git a/sys/kern/vfs_subr.c b/sys/kern/vfs_subr.c index b0534e07561..bc6919c9793 100644 --- a/sys/kern/vfs_subr.c +++ b/sys/kern/vfs_subr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vfs_subr.c,v 1.65 2001/08/02 08:16:45 assar Exp $ */ +/* $OpenBSD: vfs_subr.c,v 1.66 2001/09/16 00:42:44 millert Exp $ */ /* $NetBSD: vfs_subr.c,v 1.53 1996/04/22 01:39:13 christos Exp $ */ /* @@ -1513,6 +1513,8 @@ vfs_hang_addrlist(mp, nep, argp) mp->mnt_flag |= MNT_DEFEXPORTED; return (0); } + if (argp->ex_addrlen > MLEN) + return (EINVAL); i = sizeof(struct netcred) + argp->ex_addrlen + argp->ex_masklen; np = (struct netcred *)malloc(i, M_NETADDR, M_WAITOK); bzero((caddr_t)np, i); diff --git a/sys/miscfs/umapfs/umap_vfsops.c b/sys/miscfs/umapfs/umap_vfsops.c index fc22f8020b7..ee5f9efc82b 100644 --- a/sys/miscfs/umapfs/umap_vfsops.c +++ b/sys/miscfs/umapfs/umap_vfsops.c @@ -1,4 +1,4 @@ -/* $OpenBSD: umap_vfsops.c,v 1.16 2001/02/20 01:50:10 assar Exp $ */ +/* $OpenBSD: umap_vfsops.c,v 1.17 2001/09/16 00:42:44 millert Exp $ */ /* $NetBSD: umap_vfsops.c,v 1.9 1996/02/09 22:41:05 christos Exp $ */ /* @@ -151,6 +151,11 @@ umapfs_mount(mp, path, data, ndp, p) /* * Now copy in the number of entries and maps for umap mapping. */ + if (args.unentries < 0 || args.unentries > UMAPFILEENTRIES || + args.gnentries < 0 || args.gnentries > GMAPFILEENTRIES) { + vput(lowerrootvp); + return (error); + } amp->info_unentries = args.unentries; amp->info_gnentries = args.gnentries; error = copyin(args.umapdata, (caddr_t)amp->info_umapdata, diff --git a/sys/net/if_ppp.c b/sys/net/if_ppp.c index 09be2e547dc..3573f827295 100644 --- a/sys/net/if_ppp.c +++ b/sys/net/if_ppp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_ppp.c,v 1.24 2001/07/20 22:47:15 mickey Exp $ */ +/* $OpenBSD: if_ppp.c,v 1.25 2001/09/16 00:42:44 millert Exp $ */ /* $NetBSD: if_ppp.c,v 1.39 1997/05/17 21:11:59 christos Exp $ */ /* @@ -329,7 +329,8 @@ pppioctl(sc, cmd, data, flag, p) int flag; struct proc *p; { - int s, error, flags, mru, nb, npx; + int s, error, flags, mru, npx; + u_int nb; struct ppp_option_data *odp; struct compressor **cp; struct npioctl *npi; diff --git a/sys/nfs/nfs.h b/sys/nfs/nfs.h index 5addd30240d..33435dc23e4 100644 --- a/sys/nfs/nfs.h +++ b/sys/nfs/nfs.h @@ -1,4 +1,4 @@ -/* $OpenBSD: nfs.h,v 1.12 2001/08/19 18:16:31 art Exp $ */ +/* $OpenBSD: nfs.h,v 1.13 2001/09/16 00:42:44 millert Exp $ */ /* $NetBSD: nfs.h,v 1.10.4.1 1996/05/27 11:23:56 fvdl Exp $ */ /* @@ -163,9 +163,9 @@ struct nfsd_cargs { char *ncd_dirp; /* Mount dir path */ uid_t ncd_authuid; /* Effective uid */ int ncd_authtype; /* Type of authenticator */ - int ncd_authlen; /* Length of authenticator string */ + u_int ncd_authlen; /* Length of authenticator string */ u_char *ncd_authstr; /* Authenticator string */ - int ncd_verflen; /* and the verifier */ + u_int ncd_verflen; /* and the verifier */ u_char *ncd_verfstr; NFSKERBKEY_T ncd_key; /* Session key */ }; |