Date: Sun, 20 Jan 2013 19:55:09 -0800 From: Yuri <yuri@rawbw.com> To: mdf@freebsd.org Cc: hackers@freebsd.org Subject: Re: How to validate the variable size memory block in ioctl handler? Message-ID: <50FCBC1D.4070905@rawbw.com> In-Reply-To: <CAMBSHm9in=W6eJ8MJSLQhfQFthbqiAaL1eLy0rQ3RhQehvHqmg@mail.gmail.com> References: <50FC7767.4050207@rawbw.com> <CAMBSHm8-zJpTN_D2SGSYwX%2BEbituDmw7S9di1phKxEC_OL%2Bu=A@mail.gmail.com> <50FCACEC.8000100@rawbw.com> <CAMBSHm9in=W6eJ8MJSLQhfQFthbqiAaL1eLy0rQ3RhQehvHqmg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 01/20/2013 19:15, mdf@freebsd.org wrote: > This would be fine for a local patch but it breaks existing (valid) > uses that have exactly 8191 bytes of data, so it wouldn't be suitable > for the main FreeBSD repository. Also, in general one wants to have > limits on syscalls that can force a kernel malloc of any size, as it > leads to denial of service attacks or crashes by requesting the kernel > over-allocate memory. Both problems are easily fixable. Current len range can be preserved by encoding this case into an 'inout' parameter of _IOC instead. IOC_VOID is only used when no IOC_IN/IOC_OUT is set, so all 3 bits would mean _IORWE. And arbitrarily high parameter size can be explicitly limited in sys_generic.c to IOCPARM_MAX. Yuri
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50FCBC1D.4070905>