Date: Wed, 14 Apr 2021 07:24:35 GMT From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 116f26f947b8 - main - sbuf_uionew(): sbuf_new() takes int as length Message-ID: <202104140724.13E7OZFF067564@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=116f26f947b8bbf868dcd85d79226406029a45ee commit 116f26f947b8bbf868dcd85d79226406029a45ee Author: Konstantin Belousov <kib@FreeBSD.org> AuthorDate: 2021-04-13 19:12:19 +0000 Commit: Konstantin Belousov <kib@FreeBSD.org> CommitDate: 2021-04-14 07:23:20 +0000 sbuf_uionew(): sbuf_new() takes int as length and length should be not less than SBUF_MINSIZE Reported and tested by: pho Noted and reviewed by: markj Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D29752 --- sys/kern/subr_sbuf.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sys/kern/subr_sbuf.c b/sys/kern/subr_sbuf.c index cdeaf690208f..b7f135e81206 100644 --- a/sys/kern/subr_sbuf.c +++ b/sys/kern/subr_sbuf.c @@ -266,6 +266,10 @@ sbuf_uionew(struct sbuf *s, struct uio *uio, int *error) KASSERT(error != NULL, ("%s called with NULL error pointer", __func__)); + if (uio->uio_resid >= INT_MAX || uio->uio_resid < SBUF_MINSIZE - 1) { + *error = EINVAL; + return (NULL); + } s = sbuf_new(s, NULL, uio->uio_resid + 1, 0); if (s == NULL) { *error = ENOMEM;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202104140724.13E7OZFF067564>