Date: Mon, 12 Aug 2019 17:25:32 +0000 (UTC) From: Ed Maste <emaste@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r350903 - stable/12/sys/fs/nandfs Message-ID: <201908121725.x7CHPWmD009691@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: emaste Date: Mon Aug 12 17:25:32 2019 New Revision: 350903 URL: https://svnweb.freebsd.org/changeset/base/350903 Log: nandfs: avoid integer overflow in nandfs_get_dat_bdescs_ioctl nandfs was removed in head in r349352 and in any case was not built by default, but address the potential integer overflow in case someone does enable it and manages to avoid a panic from other nandfs issues. admbugs: 815 Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> Reviewed by: imp MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D21232 Modified: stable/12/sys/fs/nandfs/nandfs_dat.c Modified: stable/12/sys/fs/nandfs/nandfs_dat.c ============================================================================== --- stable/12/sys/fs/nandfs/nandfs_dat.c Mon Aug 12 17:18:20 2019 (r350902) +++ stable/12/sys/fs/nandfs/nandfs_dat.c Mon Aug 12 17:25:32 2019 (r350903) @@ -298,6 +298,9 @@ nandfs_get_dat_bdescs_ioctl(struct nandfs_device *nffs size_t size; int error; + if (nargv->nv_nmembs >= SIZE_MAX / sizeof(struct nandfs_bdesc)) + return (EINVAL); + size = nargv->nv_nmembs * sizeof(struct nandfs_bdesc); bd = malloc(size, M_NANDFSTEMP, M_WAITOK); error = copyin((void *)(uintptr_t)nargv->nv_base, bd, size);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201908121725.x7CHPWmD009691>