Date: Sat, 3 Dec 2016 21:27:19 +0000 (UTC) From: Edward Tomasz Napierala <trasz@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r309516 - stable/11/sys/cam/ctl Message-ID: <201612032127.uB3LRJPi026328@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: trasz Date: Sat Dec 3 21:27:19 2016 New Revision: 309516 URL: https://svnweb.freebsd.org/changeset/base/309516 Log: MFC r308250: Check for lengths being <= 0. Note that this interface can only be accessed by root. It uses unsigned ints instead of size_t to preserve the ABI. PR: 207627 Modified: stable/11/sys/cam/ctl/ctl.c stable/11/sys/cam/ctl/ctl_ioctl.h Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/cam/ctl/ctl.c ============================================================================== --- stable/11/sys/cam/ctl/ctl.c Sat Dec 3 21:23:43 2016 (r309515) +++ stable/11/sys/cam/ctl/ctl.c Sat Dec 3 21:27:19 2016 (r309516) @@ -2370,7 +2370,7 @@ ctl_ioctl_fill_ooa(struct ctl_lun *lun, } static void * -ctl_copyin_alloc(void *user_addr, int len, char *error_str, +ctl_copyin_alloc(void *user_addr, unsigned int len, char *error_str, size_t error_str_len) { void *kptr; @@ -2425,6 +2425,12 @@ ctl_copyin_args(int num_args, struct ctl for (i = 0; i < num_args; i++) { uint8_t *tmpptr; + if (args[i].namelen == 0) { + snprintf(error_str, error_str_len, "Argument %d " + "name length is zero", i); + goto bailout; + } + args[i].kname = ctl_copyin_alloc(args[i].name, args[i].namelen, error_str, error_str_len); if (args[i].kname == NULL) @@ -2437,10 +2443,17 @@ ctl_copyin_args(int num_args, struct ctl } if (args[i].flags & CTL_BEARG_RD) { + if (args[i].vallen == 0) { + snprintf(error_str, error_str_len, "Argument %d " + "value length is zero", i); + goto bailout; + } + tmpptr = ctl_copyin_alloc(args[i].value, args[i].vallen, error_str, error_str_len); if (tmpptr == NULL) goto bailout; + if ((args[i].flags & CTL_BEARG_ASCII) && (tmpptr[args[i].vallen - 1] != '\0')) { snprintf(error_str, error_str_len, "Argument " Modified: stable/11/sys/cam/ctl/ctl_ioctl.h ============================================================================== --- stable/11/sys/cam/ctl/ctl_ioctl.h Sat Dec 3 21:23:43 2016 (r309515) +++ stable/11/sys/cam/ctl/ctl_ioctl.h Sat Dec 3 21:27:19 2016 (r309516) @@ -317,20 +317,20 @@ typedef enum { * * flags: Flags for the parameter, see above for values. * - * vallen: Length of the value in bytes. + * vallen: Length of the value in bytes, including the terminating NUL. * - * value: Value to be set/fetched. + * value: Value to be set/fetched. This must be NUL-terminated. * * kname: For kernel use only. * * kvalue: For kernel use only. */ struct ctl_be_arg { - int namelen; - char *name; - int flags; - int vallen; - void *value; + unsigned int namelen; + char *name; + int flags; + unsigned int vallen; + void *value; char *kname; void *kvalue;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201612032127.uB3LRJPi026328>