diff options
| author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2008-04-10 19:55:42 +0000 |
|---|---|---|
| committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2008-04-10 19:55:42 +0000 |
| commit | 08d3274a40ea6a5c7cd2bc6691ce5e0c9195f293 (patch) | |
| tree | 0633404d708dccddda9e29e376a36cfc8bb4e679 /sys/kern | |
| parent | 099be31700bff9c5d8ed7b9edf15da1a38267b09 (diff) | |
scrub local stack-based buffers in the tty subsystem. tested by a lot of
developers. if you notice tty weirdnesses in the next few months, talk to
me
Diffstat (limited to 'sys/kern')
| -rw-r--r-- | sys/kern/tty.c | 16 | ||||
| -rw-r--r-- | sys/kern/tty_pty.c | 69 |
2 files changed, 56 insertions, 29 deletions
diff --git a/sys/kern/tty.c b/sys/kern/tty.c index f1d0ff17c2a..e3a17c13cd9 100644 --- a/sys/kern/tty.c +++ b/sys/kern/tty.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tty.c,v 1.74 2007/10/29 14:12:19 chl Exp $ */ +/* $OpenBSD: tty.c,v 1.75 2008/04/10 19:55:41 deraadt Exp $ */ /* $NetBSD: tty.c,v 1.68.4.2 1996/06/06 16:04:52 thorpej Exp $ */ /*- @@ -1665,7 +1665,7 @@ int ttwrite(struct tty *tp, struct uio *uio, int flag) { u_char *cp = NULL; - int cc, ce; + int cc, ce, obufcc = 0; struct proc *p; int i, hiwat, cnt, error, s; u_char obuf[OBUFSIZ]; @@ -1680,7 +1680,8 @@ loop: !ISSET(tp->t_cflag, CLOCAL)) { if (ISSET(tp->t_state, TS_ISOPEN)) { splx(s); - return (EIO); + error = EIO; + goto done; } else if (flag & IO_NDELAY) { splx(s); error = EWOULDBLOCK; @@ -1722,7 +1723,7 @@ loop: while (uio->uio_resid > 0 || cc > 0) { if (ISSET(tp->t_lflag, FLUSHO)) { uio->uio_resid = 0; - return (0); + goto done; } if (tp->t_outq.c_cc > hiwat) goto ovhiwat; @@ -1738,6 +1739,8 @@ loop: cc = 0; break; } + if (cc > obufcc) + obufcc = cc; } /* * If nothing fancy need be done, grab those characters we @@ -1803,6 +1806,9 @@ out: * (the call will either return short or restart with a new uio). */ uio->uio_resid += cc; +done: + if (obufcc) + bzero(obuf, obufcc); return (error); overfull: @@ -1828,6 +1834,8 @@ ovhiwat: if (flag & IO_NDELAY) { splx(s); uio->uio_resid += cc; + if (obufcc) + bzero(obuf, obufcc); return (uio->uio_resid == cnt ? EWOULDBLOCK : 0); } SET(tp->t_state, TS_ASLEEP); diff --git a/sys/kern/tty_pty.c b/sys/kern/tty_pty.c index a158a80b18a..0671ba7fe1b 100644 --- a/sys/kern/tty_pty.c +++ b/sys/kern/tty_pty.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tty_pty.c,v 1.35 2007/09/07 15:00:20 art Exp $ */ +/* $OpenBSD: tty_pty.c,v 1.36 2008/04/10 19:55:41 deraadt Exp $ */ /* $NetBSD: tty_pty.c,v 1.33.4.1 1996/06/02 09:08:11 mrg Exp $ */ /* @@ -456,7 +456,7 @@ ptcread(dev_t dev, struct uio *uio, int flag) struct pt_softc *pti = pt_softc[minor(dev)]; struct tty *tp = pti->pt_tty; char buf[BUFSIZ]; - int error = 0, cc; + int error = 0, cc, bufcc = 0; /* * We want to block until the slave @@ -500,7 +500,10 @@ ptcread(dev_t dev, struct uio *uio, int flag) if (pti->pt_flags & (PF_PKT|PF_UCNTL)) error = ureadc(0, uio); while (uio->uio_resid > 0 && error == 0) { - cc = q_to_b(&tp->t_outq, buf, min(uio->uio_resid, BUFSIZ)); + cc = min(uio->uio_resid, BUFSIZ); + cc = q_to_b(&tp->t_outq, buf, cc); + if (cc > bufcc) + bufcc = cc; if (cc <= 0) break; error = uiomove(buf, cc, uio); @@ -512,6 +515,8 @@ ptcread(dev_t dev, struct uio *uio, int flag) } selwakeup(&tp->t_wsel); } + if (bufcc) + bzero(buf, bufcc); return (error); } @@ -522,8 +527,8 @@ ptcwrite(dev_t dev, struct uio *uio, int flag) struct pt_softc *pti = pt_softc[minor(dev)]; struct tty *tp = pti->pt_tty; u_char *cp = NULL; - int cc = 0; - u_char locbuf[BUFSIZ]; + int cc = 0, bufcc = 0; + u_char buf[BUFSIZ]; int cnt = 0; int error = 0; @@ -537,13 +542,17 @@ again: if (cc == 0) { cc = min(uio->uio_resid, BUFSIZ); cc = min(cc, TTYHOG - 1 - tp->t_canq.c_cc); - cp = locbuf; + if (cc > bufcc) + bufcc = cc; + cp = buf; error = uiomove(cp, cc, uio); if (error) - return (error); + goto done; /* check again for safety */ - if ((tp->t_state&TS_ISOPEN) == 0) - return (EIO); + if ((tp->t_state&TS_ISOPEN) == 0) { + error = EIO; + goto done; + } } if (cc) (void) b_to_q((char *)cp, cc, &tp->t_canq); @@ -552,19 +561,24 @@ again: (void) putc(0, &tp->t_canq); ttwakeup(tp); wakeup(&tp->t_canq); - return (0); + goto done; } while (uio->uio_resid > 0) { if (cc == 0) { cc = min(uio->uio_resid, BUFSIZ); - cp = locbuf; + if (cc > bufcc) + bufcc = cc; + cp = buf; error = uiomove(cp, cc, uio); if (error) - return (error); + goto done; /* check again for safety */ - if ((tp->t_state&TS_ISOPEN) == 0) - return (EIO); + if ((tp->t_state&TS_ISOPEN) == 0) { + error = EIO; + goto done; + } } + bufcc = cc; while (cc > 0) { if ((tp->t_rawq.c_cc + tp->t_canq.c_cc) >= TTYHOG - 2 && (tp->t_canq.c_cc > 0 || !ISSET(tp->t_lflag, ICANON))) { @@ -577,29 +591,34 @@ again: } cc = 0; } - return (0); + goto done; block: /* * Come here to wait for slave to open, for space * in outq, or space in rawq. */ - if ((tp->t_state&TS_CARR_ON) == 0) - return (EIO); + if ((tp->t_state&TS_CARR_ON) == 0) { + error = EIO; + goto done; + } if (flag & IO_NDELAY) { /* adjust for data copied in but not written */ uio->uio_resid += cc; if (cnt == 0) - return (EWOULDBLOCK); - return (0); + error = EWOULDBLOCK; + goto done; } error = tsleep(&tp->t_rawq.c_cf, TTOPRI | PCATCH, ttyout, 0); - if (error) { - /* adjust for data copied in but not written */ - uio->uio_resid += cc; - return (error); - } - goto again; + if (error == 0) + goto again; + + /* adjust for data copied in but not written */ + uio->uio_resid += cc; +done: + if (bufcc) + bzero(buf, bufcc); + return (error); } int |