Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 3 Jul 2014 19:07:37 +0000 (UTC)
From:      "Pedro F. Giffuni" <pfg@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r268230 - head/sys/cddl/contrib/opensolaris/uts/common/dtrace
Message-ID:  <201407031907.s63J7bLa023863@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: pfg
Date: Thu Jul  3 19:07:37 2014
New Revision: 268230
URL: http://svnweb.freebsd.org/changeset/base/268230

Log:
  Merge from OpenSolaris (22-Apr-2008):
  
  6823388 DTrace ioctl handlers must validate all structure members
  
  MFC after:	1 week

Modified:
  head/sys/cddl/contrib/opensolaris/uts/common/dtrace/dtrace.c
  head/sys/cddl/contrib/opensolaris/uts/common/dtrace/fasttrap.c

Modified: head/sys/cddl/contrib/opensolaris/uts/common/dtrace/dtrace.c
==============================================================================
--- head/sys/cddl/contrib/opensolaris/uts/common/dtrace/dtrace.c	Thu Jul  3 18:24:28 2014	(r268229)
+++ head/sys/cddl/contrib/opensolaris/uts/common/dtrace/dtrace.c	Thu Jul  3 19:07:37 2014	(r268230)
@@ -12908,7 +12908,8 @@ dtrace_dof_copyin(uintptr_t uarg, int *e
 
 	dof = kmem_alloc(hdr.dofh_loadsz, KM_SLEEP);
 
-	if (copyin((void *)uarg, dof, hdr.dofh_loadsz) != 0) {
+	if (copyin((void *)uarg, dof, hdr.dofh_loadsz) != 0 ||
+	    dof->dofh_loadsz != hdr.dofh_loadsz) {
 		kmem_free(dof, hdr.dofh_loadsz);
 		*errp = EFAULT;
 		return (NULL);

Modified: head/sys/cddl/contrib/opensolaris/uts/common/dtrace/fasttrap.c
==============================================================================
--- head/sys/cddl/contrib/opensolaris/uts/common/dtrace/fasttrap.c	Thu Jul  3 18:24:28 2014	(r268229)
+++ head/sys/cddl/contrib/opensolaris/uts/common/dtrace/fasttrap.c	Thu Jul  3 19:07:37 2014	(r268230)
@@ -2277,7 +2277,8 @@ fasttrap_ioctl(struct cdev *dev, u_long 
 
 		probe = kmem_alloc(size, KM_SLEEP);
 
-		if (copyin(uprobe, probe, size) != 0) {
+		if (copyin(uprobe, probe, size) != 0 ||
+		    probe->ftps_noffs != noffs) {
 			kmem_free(probe, size);
 			return (EFAULT);
 		}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201407031907.s63J7bLa023863>