Add some missing lengths checks when passing data from userland to

kernel.  From based on NetBSD patches.

3 files changed, 15 insertions, 8 deletions

diff --git a/sys/dev/wscons/wsconsio.h b/sys/dev/wscons/wsconsio.h
index f942e0b8aa8..a2f7dcbfd34 100644
--- a/sys/dev/wscons/wsconsio.h
+++ b/sys/dev/wscons/wsconsio.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: wsconsio.h,v 1.12 2001/08/29 20:20:26 mickey Exp $ */
+/* $OpenBSD: wsconsio.h,v 1.13 2001/09/16 00:42:44 millert Exp $ */
 /* $NetBSD: wsconsio.h,v 1.31.2.1 2000/07/07 09:49:17 hannken Exp $ */
 
 /*
@@ -148,6 +148,7 @@ struct wskbd_keyrepeat_data {
 /* Manipulate keysym groups. */
 struct wskbd_map_data {
 	u_int	maplen;				/* number of entries in map */
+#define WSKBDIO_MAXMAPLEN	65536
 	struct wscons_keymap *map;		/* map to get or set */
 };
 #define WSKBDIO_GETMAP		_IOWR('W', 13, struct wskbd_map_data)
@@ -314,7 +315,8 @@ struct wsdisplay_font {
 #define WSDISPLAY_FONTENC_PCVT 2
 #define WSDISPLAY_FONTENC_ISO7 3 /* greek */
 #define WSDISPLAY_FONTENC_SONY 4
-	int fontwidth, fontheight, stride;
+	u_int fontwidth, fontheight, stride;
+#define WSDISPLAY_MAXFONTSZ	(512*1024)
 	int bitorder, byteorder;
 #define	WSDISPLAY_FONTORDER_KNOWN	0	/* i.e, no need to convert */
 #define	WSDISPLAY_FONTORDER_L2R		1
diff --git a/sys/dev/wscons/wsdisplay.c b/sys/dev/wscons/wsdisplay.c
index fefd6276899..98ac84e3f1c 100644
--- a/sys/dev/wscons/wsdisplay.c
+++ b/sys/dev/wscons/wsdisplay.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: wsdisplay.c,v 1.33 2001/08/29 20:26:18 mickey Exp $ */
+/* $OpenBSD: wsdisplay.c,v 1.34 2001/09/16 00:42:44 millert Exp $ */
 /* $NetBSD: wsdisplay.c,v 1.37.4.1 2000/06/30 16:27:53 simonb Exp $ */
 
 /*
@@ -1156,6 +1156,7 @@ wsdisplay_cfg_ioctl(sc, cmd, data, flag, p)
 {
 	int error;
 	void *buf;
+	size_t fontsz;
 #if defined(COMPAT_14) && NWSKBD > 0
 	struct wsmux_device wsmuxdata;
 #endif
@@ -1186,10 +1187,12 @@ wsdisplay_cfg_ioctl(sc, cmd, data, flag, p)
 			return (EINVAL);
 		if (d->index >= WSDISPLAY_MAXFONT)
 			return (EINVAL);
-		buf = malloc(d->fontheight * d->stride * d->numchars,
-			     M_DEVBUF, M_WAITOK);
-		error = copyin(d->data, buf,
-			       d->fontheight * d->stride * d->numchars);
+		fontsz = d->fontheight * d->stride * d->numchars;
+		if (fontsz > WSDISPLAY_MAXFONTSZ)
+			return (EINVAL);
+
+		buf = malloc(fontsz, M_DEVBUF, M_WAITOK);
+		error = copyin(d->data, buf, fontsz);
 		if (error) {
 			free(buf, M_DEVBUF);
 			return (error);
diff --git a/sys/dev/wscons/wskbd.c b/sys/dev/wscons/wskbd.c
index 17d34c3ee81..8d851d1384b 100644
--- a/sys/dev/wscons/wskbd.c
+++ b/sys/dev/wscons/wskbd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: wskbd.c,v 1.23 2001/06/11 22:48:14 mickey Exp $ */
+/* $OpenBSD: wskbd.c,v 1.24 2001/09/16 00:42:44 millert Exp $ */
 /* $NetBSD: wskbd.c,v 1.38 2000/03/23 07:01:47 thorpej Exp $ */
 
 /*
@@ -985,6 +985,8 @@ getkeyrepeat:
 		if ((flag & FWRITE) == 0)
 			return (EACCES);
 		umdp = (struct wskbd_map_data *)data;
+		if (umdp->maplen > WSKBDIO_MAXMAPLEN)
+			return (EINVAL);
 		len = umdp->maplen*sizeof(struct wscons_keymap);
 		buf = malloc(len, M_TEMP, M_WAITOK);
 		error = copyin(umdp->map, buf, len);