From 85f5ff8ea1d2e32abd16921ba5a0caa9878efa0b Mon Sep 17 00:00:00 2001
From: Michael Shalayeff <mickey@cvs.openbsd.org>
Date: Thu, 20 Jul 2006 15:42:10 +0000
Subject: do some range checking on ccio passed from user; pt out by
 ramrunner@gmail.com

---
 sys/dev/ccd.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'sys/dev')

diff --git a/sys/dev/ccd.c b/sys/dev/ccd.c
index 7a309e12a63..a702ae895f5 100644
--- a/sys/dev/ccd.c
+++ b/sys/dev/ccd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ccd.c,v 1.64 2006/01/09 12:43:16 pedro Exp $	*/
+/*	$OpenBSD: ccd.c,v 1.65 2006/07/20 15:42:09 mickey Exp $	*/
 /*	$NetBSD: ccd.c,v 1.33 1996/05/05 04:21:14 thorpej Exp $	*/
 
 /*-
@@ -1151,6 +1151,10 @@ ccdioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct proc *p)
 		if (cs->sc_flags & CCDF_INITED)
 			return (EBUSY);
 
+		if (ccio->ccio_ndisks == 0 || ccio->ccio_ndisks > INT_MAX ||
+		    ccio->ccio_ileave <= 0 || ccio->ccio_ileave > INT_MAX)
+			return (EINVAL);
+
 		if ((error = ccdlock(cs)) != 0)
 			return (error);
 
-- 
cgit v1.2.3