src - OpenBSD base system

diff options


context:
space:
mode:

author	Todd C. Miller <millert@cvs.openbsd.org>	2001-09-16 00:42:45 +0000
committer	Todd C. Miller <millert@cvs.openbsd.org>	2001-09-16 00:42:45 +0000
commit	dcf53c92ea15715a4406b9230a1c68943501ffb2 (patch)
tree	1d6ac3cb6ae47126af1dc54f4f0f5bac7afc49b7 /sys/dev
parent	3b1414ef904bbd7e35b23fc1509a3ea20e822cae (diff)

Add some missing lengths checks when passing data from userland to

kernel. From based on NetBSD patches.

Diffstat (limited to 'sys/dev')

-rw-r--r--

sys/dev/ccdvar.h

-rw-r--r--

sys/dev/pci/tga.c

-rw-r--r--

sys/dev/wscons/wsconsio.h

-rw-r--r--

sys/dev/wscons/wsdisplay.c

-rw-r--r--

sys/dev/wscons/wskbd.c

5 files changed, 24 insertions, 14 deletions

diff --git a/sys/dev/ccdvar.h b/sys/dev/ccdvar.h
index 20e5b5098a3..08c54bf91c0 100644
--- a/sys/dev/ccdvar.h
+++ b/sys/dev/ccdvar.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ccdvar.h,v 1.4 1997/11/26 22:30:19 niklas Exp $ */

+/* $OpenBSD: ccdvar.h,v 1.5 2001/09/16 00:42:44 millert Exp $ */

/* $NetBSD: ccdvar.h,v 1.11 1996/02/28 01:08:32 thorpej Exp $ */

/*-

@@ -105,7 +105,7 @@ struct ccddevice {

struct ccd_ioctl {

char **ccio_disks; /* pointer to component paths */

- int ccio_ndisks; /* number of disks to concatenate */

+ u_int ccio_ndisks; /* number of disks to concatenate */

int ccio_ileave; /* interleave (DEV_BSIZE blocks) */

int ccio_flags; /* misc. information */

int ccio_unit; /* unit number: use varies */

@@ -185,7 +185,8 @@ struct ccd_softc {

int sc_cflags; /* configuration flags */

size_t sc_size; /* size of ccd */

int sc_ileave; /* interleave */

- int sc_nccdisks; /* number of components */

+#define CCD_MAXNDISKS 65536

+ u_int sc_nccdisks; /* number of components */

struct ccdcinfo *sc_cinfo; /* component info */

struct ccdiinfo *sc_itable; /* interleave table */

struct ccdgeom sc_geom; /* pseudo geometry info */

diff --git a/sys/dev/pci/tga.c b/sys/dev/pci/tga.c
index 23b8c7a4b7b..e5addd7b0b6 100644
--- a/sys/dev/pci/tga.c
+++ b/sys/dev/pci/tga.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: tga.c,v 1.8 2001/08/25 10:13:30 art Exp $ */

+/* $OpenBSD: tga.c,v 1.9 2001/09/16 00:42:44 millert Exp $ */

/* $NetBSD: tga.c,v 1.31 2001/02/11 19:34:58 nathanw Exp $ */

@@ -831,7 +831,8 @@ tga_builtin_set_cursor(dc, cursorp)

{

struct ramdac_funcs *dcrf = dc->dc_ramdac_funcs;

struct ramdac_cookie *dcrc = dc->dc_ramdac_cookie;

- int count, error, v;

+ u_int count, v;

+ int error;

v = cursorp->which;

if (v & WSDISPLAY_CURSOR_DOCMAP) {

@@ -886,7 +887,8 @@ tga_builtin_get_cursor(dc, cursorp)

{

struct ramdac_funcs *dcrf = dc->dc_ramdac_funcs;

struct ramdac_cookie *dcrc = dc->dc_ramdac_cookie;

- int count, error;

+ int error;

+ u_int count;

cursorp->which = WSDISPLAY_CURSOR_DOALL &

~(WSDISPLAY_CURSOR_DOHOT | WSDISPLAY_CURSOR_DOCMAP);

diff --git a/sys/dev/wscons/wsconsio.h b/sys/dev/wscons/wsconsio.h
index f942e0b8aa8..a2f7dcbfd34 100644
--- a/sys/dev/wscons/wsconsio.h
+++ b/sys/dev/wscons/wsconsio.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: wsconsio.h,v 1.12 2001/08/29 20:20:26 mickey Exp $ */

+/* $OpenBSD: wsconsio.h,v 1.13 2001/09/16 00:42:44 millert Exp $ */

/* $NetBSD: wsconsio.h,v 1.31.2.1 2000/07/07 09:49:17 hannken Exp $ */

@@ -148,6 +148,7 @@ struct wskbd_keyrepeat_data {

/* Manipulate keysym groups. */

struct wskbd_map_data {

u_int maplen; /* number of entries in map */

+#define WSKBDIO_MAXMAPLEN 65536

struct wscons_keymap *map; /* map to get or set */

};

#define WSKBDIO_GETMAP _IOWR('W', 13, struct wskbd_map_data)

@@ -314,7 +315,8 @@ struct wsdisplay_font {

#define WSDISPLAY_FONTENC_PCVT 2

#define WSDISPLAY_FONTENC_ISO7 3 /* greek */

#define WSDISPLAY_FONTENC_SONY 4

- int fontwidth, fontheight, stride;

+ u_int fontwidth, fontheight, stride;

+#define WSDISPLAY_MAXFONTSZ (512*1024)

int bitorder, byteorder;

#define WSDISPLAY_FONTORDER_KNOWN 0 /* i.e, no need to convert */

#define WSDISPLAY_FONTORDER_L2R 1

diff --git a/sys/dev/wscons/wsdisplay.c b/sys/dev/wscons/wsdisplay.c
index fefd6276899..98ac84e3f1c 100644
--- a/sys/dev/wscons/wsdisplay.c
+++ b/sys/dev/wscons/wsdisplay.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: wsdisplay.c,v 1.33 2001/08/29 20:26:18 mickey Exp $ */

+/* $OpenBSD: wsdisplay.c,v 1.34 2001/09/16 00:42:44 millert Exp $ */

/* $NetBSD: wsdisplay.c,v 1.37.4.1 2000/06/30 16:27:53 simonb Exp $ */

@@ -1156,6 +1156,7 @@ wsdisplay_cfg_ioctl(sc, cmd, data, flag, p)

{

int error;

void *buf;

+ size_t fontsz;

#if defined(COMPAT_14) && NWSKBD > 0

struct wsmux_device wsmuxdata;

#endif

@@ -1186,10 +1187,12 @@ wsdisplay_cfg_ioctl(sc, cmd, data, flag, p)

return (EINVAL);

if (d->index >= WSDISPLAY_MAXFONT)

return (EINVAL);

- buf = malloc(d->fontheight * d->stride * d->numchars,

- M_DEVBUF, M_WAITOK);

- error = copyin(d->data, buf,

- d->fontheight * d->stride * d->numchars);

+ fontsz = d->fontheight * d->stride * d->numchars;

+ if (fontsz > WSDISPLAY_MAXFONTSZ)

+ return (EINVAL);

+ buf = malloc(fontsz, M_DEVBUF, M_WAITOK);

+ error = copyin(d->data, buf, fontsz);

if (error) {

free(buf, M_DEVBUF);

return (error);

diff --git a/sys/dev/wscons/wskbd.c b/sys/dev/wscons/wskbd.c
index 17d34c3ee81..8d851d1384b 100644
--- a/sys/dev/wscons/wskbd.c
+++ b/sys/dev/wscons/wskbd.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: wskbd.c,v 1.23 2001/06/11 22:48:14 mickey Exp $ */

+/* $OpenBSD: wskbd.c,v 1.24 2001/09/16 00:42:44 millert Exp $ */

/* $NetBSD: wskbd.c,v 1.38 2000/03/23 07:01:47 thorpej Exp $ */

@@ -985,6 +985,8 @@ getkeyrepeat:

if ((flag & FWRITE) == 0)

return (EACCES);

umdp = (struct wskbd_map_data *)data;

+ if (umdp->maplen > WSKBDIO_MAXMAPLEN)

+ return (EINVAL);

len = umdp->maplen*sizeof(struct wscons_keymap);

buf = malloc(len, M_TEMP, M_WAITOK);

error = copyin(umdp->map, buf, len);