Date: Fri, 15 Nov 2013 01:44:58 +0000 (UTC) From: David C Somayajulu <davidcs@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r258156 - head/sys/dev/qlxge Message-ID: <201311150144.rAF1iwNQ083816@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: davidcs Date: Fri Nov 15 01:44:58 2013 New Revision: 258156 URL: http://svnweb.freebsd.org/changeset/base/258156 Log: Validate the buffer and its length passed to QLA_MPI_DUMP. copyout dump only if qls_mpi_core_dump() is successful. (like to credit x90c for pointing the issue) Submitted by:David C Somayajulu Modified: head/sys/dev/qlxge/qls_ioctl.c Modified: head/sys/dev/qlxge/qls_ioctl.c ============================================================================== --- head/sys/dev/qlxge/qls_ioctl.c Fri Nov 15 01:26:24 2013 (r258155) +++ head/sys/dev/qlxge/qls_ioctl.c Fri Nov 15 01:44:58 2013 (r258156) @@ -100,13 +100,16 @@ qls_eioctl(struct cdev *dev, u_long cmd, if (mpi_dump->size == 0) { mpi_dump->size = sizeof (qls_mpi_coredump_t); } else { - if (mpi_dump->size < sizeof (qls_mpi_coredump_t)) + if ((mpi_dump->size != sizeof (qls_mpi_coredump_t)) || + (mpi_dump->dbuf == NULL)) rval = EINVAL; else { - qls_mpi_core_dump(ha); - rval = copyout( &ql_mpi_coredump, - mpi_dump->dbuf, - mpi_dump->size); + if (qls_mpi_core_dump(ha) == 0) { + rval = copyout(&ql_mpi_coredump, + mpi_dump->dbuf, + mpi_dump->size); + } else + rval = ENXIO; if (rval) { device_printf(ha->pci_dev,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201311150144.rAF1iwNQ083816>