Date: Sat, 3 Mar 2018 02:39:54 +0000 (UTC) From: Navdeep Parhar <np@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r330308 - stable/11/sys/dev/cxgb Message-ID: <201803030239.w232dss0090144@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: np Date: Sat Mar 3 02:39:54 2018 New Revision: 330308 URL: https://svnweb.freebsd.org/changeset/base/330308 Log: MFC r328315: cxgb(4): Validate offset/len in the GET_EEPROM ioctl. Modified: stable/11/sys/dev/cxgb/cxgb_main.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/dev/cxgb/cxgb_main.c ============================================================================== --- stable/11/sys/dev/cxgb/cxgb_main.c Sat Mar 3 02:30:52 2018 (r330307) +++ stable/11/sys/dev/cxgb/cxgb_main.c Sat Mar 3 02:39:54 2018 (r330308) @@ -2958,8 +2958,14 @@ cxgb_extension_ioctl(struct cdev *dev, unsigned long c case CHELSIO_GET_EEPROM: { int i; struct ch_eeprom *e = (struct ch_eeprom *)data; - uint8_t *buf = malloc(EEPROMSIZE, M_DEVBUF, M_NOWAIT); + uint8_t *buf; + if (e->offset & 3 || e->offset >= EEPROMSIZE || + e->len > EEPROMSIZE || e->offset + e->len > EEPROMSIZE) { + return (EINVAL); + } + + buf = malloc(EEPROMSIZE, M_DEVBUF, M_NOWAIT); if (buf == NULL) { return (ENOMEM); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201803030239.w232dss0090144>