Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 28 Jun 2012 16:54:11 +0000 (UTC)
From:      Konstantin Belousov <kib@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
Subject:   svn commit: r237717 - stable/8/sys/ufs/ffs
Message-ID:  <201206281654.q5SGsBoc087252@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: kib
Date: Thu Jun 28 16:54:10 2012
New Revision: 237717
URL: http://svn.freebsd.org/changeset/base/237717

Log:
  MFC r237366:
  Fix unbounded-length malloc, controlled from usermode. The added check
  is performed before exact size of the buffer is calculated, but the
  buffer cannot have size greater then the total space allocated for
  extended attributes. The existing check is executing with precise
  size, but it is too late, since buffer needs to be allocated in
  advance.
  
  Also, adapt to uio_resid being of ssize_t type.  Use lblktosize instead of
  multiplying by fs block size by hand as well.

Modified:
  stable/8/sys/ufs/ffs/ffs_vnops.c
Directory Properties:
  stable/8/sys/   (props changed)

Modified: stable/8/sys/ufs/ffs/ffs_vnops.c
==============================================================================
--- stable/8/sys/ufs/ffs/ffs_vnops.c	Thu Jun 28 16:44:29 2012	(r237716)
+++ stable/8/sys/ufs/ffs/ffs_vnops.c	Thu Jun 28 16:54:10 2012	(r237717)
@@ -1648,7 +1648,8 @@ vop_setextattr {
 	struct inode *ip;
 	struct fs *fs;
 	uint32_t ealength, ul;
-	int ealen, olen, eapad1, eapad2, error, i, easize;
+	ssize_t ealen;
+	int olen, eapad1, eapad2, error, i, easize;
 	u_char *eae, *p;
 
 	ip = VTOI(ap->a_vp);
@@ -1667,6 +1668,10 @@ vop_setextattr {
 	if (ap->a_vp->v_mount->mnt_flag & MNT_RDONLY)
 		return (EROFS);
 
+	ealen = ap->a_uio->uio_resid;
+	if (ealen < 0 || ealen > lblktosize(fs, NXADDR))
+		return (EINVAL);
+
 	error = extattr_check_cred(ap->a_vp, ap->a_attrnamespace,
 	    ap->a_cred, ap->a_td, VWRITE);
 	if (error) {
@@ -1684,7 +1689,6 @@ vop_setextattr {
 	if (error)
 		return (error);
 
-	ealen = ap->a_uio->uio_resid;
 	ealength = sizeof(uint32_t) + 3 + strlen(ap->a_name);
 	eapad1 = 8 - (ealength % 8);
 	if (eapad1 == 8)
@@ -1712,7 +1716,7 @@ vop_setextattr {
 			easize += (ealength - ul);
 		}
 	}
-	if (easize > NXADDR * fs->fs_bsize) {
+	if (easize > lblktosize(fs, NXADDR)) {
 		free(eae, M_TEMP);
 		ffs_close_ea(ap->a_vp, 0, ap->a_cred, ap->a_td);
 		if (ip->i_ea_area != NULL && ip->i_ea_error == 0)



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201206281654.q5SGsBoc087252>