diff options
| author | Constantine Sapuntzakis <csapuntz@cvs.openbsd.org> | 2001-10-02 17:40:21 +0000 |
|---|---|---|
| committer | Constantine Sapuntzakis <csapuntz@cvs.openbsd.org> | 2001-10-02 17:40:21 +0000 |
| commit | 87ec4d59fc6cefaef0c58d444d52fe0586ec14ca (patch) | |
| tree | ef757d360269b52ec0b8b27564869c34b80744b0 /sys/compat/svr4/svr4_stream.c | |
| parent | 841756b7892fafbdbf3c0656d51bc142831e4f6d (diff) | |
Values coming from userland should be bounds checked, even if we put them
there just a couple calls ago. Thanks to Ken Ashcraft of Stanford for finding
this bug.
Diffstat (limited to 'sys/compat/svr4/svr4_stream.c')
| -rw-r--r-- | sys/compat/svr4/svr4_stream.c | 30 |
1 files changed, 18 insertions, 12 deletions
diff --git a/sys/compat/svr4/svr4_stream.c b/sys/compat/svr4/svr4_stream.c index c4ad581feeb..5b20c9d5d9e 100644 --- a/sys/compat/svr4/svr4_stream.c +++ b/sys/compat/svr4/svr4_stream.c @@ -1,4 +1,4 @@ -/* $OpenBSD: svr4_stream.c,v 1.12 2001/04/18 09:06:42 niklas Exp $ */ +/* $OpenBSD: svr4_stream.c,v 1.13 2001/10/02 17:40:20 csapuntz Exp $ */ /* $NetBSD: svr4_stream.c,v 1.19 1996/12/22 23:00:03 fvdl Exp $ */ /* @@ -882,7 +882,7 @@ svr4_stream_ti_ioctl(fp, p, retval, fd, cmd, dat) struct sockaddr_in sain; struct sockaddr_un saun; struct svr4_strmcmd sc; - int sasize; + socklen_t sasize, samax; caddr_t sg; int *lenp; @@ -891,20 +891,15 @@ svr4_stream_ti_ioctl(fp, p, retval, fd, cmd, dat) sc.offs = 0x10; - if ((error = copyin(sub, &skb, sizeof(skb))) != 0) { - DPRINTF(("ti_ioctl: error copying in strbuf\n")); - return error; - } - switch (st->s_family) { case AF_INET: skp = &sain; - sasize = sizeof(sain); + samax = sizeof(sain); break; case AF_UNIX: skp = &saun; - sasize = sizeof(saun); + samax = sizeof(saun); break; default: @@ -914,10 +909,10 @@ svr4_stream_ti_ioctl(fp, p, retval, fd, cmd, dat) } sg = stackgap_init(p->p_emul); - sup = stackgap_alloc(&sg, sasize); + sup = stackgap_alloc(&sg, samax); lenp = stackgap_alloc(&sg, sizeof(*lenp)); - if ((error = copyout(&sasize, lenp, sizeof(*lenp))) != 0) { + if ((error = copyout(&samax, lenp, sizeof(*lenp))) != 0) { DPRINTF(("ti_ioctl: error copying out lenp\n")); return error; } @@ -963,7 +958,7 @@ svr4_stream_ti_ioctl(fp, p, retval, fd, cmd, dat) return ENOSYS; } - if ((error = copyin(sup, skp, sasize)) != 0) { + if ((error = copyin(sup, skp, samax)) != 0) { DPRINTF(("ti_ioctl: error copying in socket data\n")); return error; } @@ -973,6 +968,17 @@ svr4_stream_ti_ioctl(fp, p, retval, fd, cmd, dat) return error; } + if (sasize < 0 || sasize > samax) { + DPRINTF(("ti_ioctl: invalid socklen on stack\n")); + error = EINVAL; + return error; + } + + if ((error = copyin(sub, &skb, sizeof(skb))) != 0) { + DPRINTF(("ti_ioctl: error copying in strbuf\n")); + return error; + } + switch (st->s_family) { case AF_INET: sockaddr_to_netaddr_in(&sc, &sain); |