Date: Sat, 12 Jan 2019 17:00:54 +0000 (UTC) From: Mark Johnston <markj@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r342970 - in stable: 11/sys/dev/tws 12/sys/dev/tws Message-ID: <201901121700.x0CH0s0r040033@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: markj Date: Sat Jan 12 17:00:54 2019 New Revision: 342970 URL: https://svnweb.freebsd.org/changeset/base/342970 Log: MFC r342787: Add a bounds check to the tws(4) passthrough ioctl handler. admbug: 825 Modified: stable/11/sys/dev/tws/tws_user.c Directory Properties: stable/11/ (props changed) Changes in other areas also in this revision: Modified: stable/12/sys/dev/tws/tws_user.c Directory Properties: stable/12/ (props changed) Modified: stable/11/sys/dev/tws/tws_user.c ============================================================================== --- stable/11/sys/dev/tws/tws_user.c Sat Jan 12 16:58:32 2019 (r342969) +++ stable/11/sys/dev/tws/tws_user.c Sat Jan 12 17:00:54 2019 (r342970) @@ -90,9 +90,13 @@ tws_passthru(struct tws_softc *sc, void *buf) struct tws_request *req; struct tws_ioctl_no_data_buf *ubuf = (struct tws_ioctl_no_data_buf *)buf; int error; + u_int32_t buffer_length; u_int16_t lun4; - + buffer_length = roundup2(ubuf->driver_pkt.buffer_length, 512); + if ( buffer_length > TWS_MAX_IO_SIZE ) { + return(EINVAL); + } if ( tws_get_state(sc) != TWS_ONLINE) { return(EBUSY); } @@ -116,7 +120,7 @@ tws_passthru(struct tws_softc *sc, void *buf) } } while(1); - req->length = (ubuf->driver_pkt.buffer_length + 511) & ~511; + req->length = buffer_length; TWS_TRACE_DEBUG(sc, "datal,rid", req->length, req->request_id); if ( req->length ) { req->data = sc->ioctl_data_mem;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201901121700.x0CH0s0r040033>