Date: Tue, 12 May 2009 09:22:33 +0000 (UTC) From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r192012 - head/sys/fs/fdescfs Message-ID: <200905120922.n4C9MXWv016790@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kib Date: Tue May 12 09:22:33 2009 New Revision: 192012 URL: http://svn.freebsd.org/changeset/base/192012 Log: Return controlled EINVAL when the fdescfs lookup routine is given string representing too large integer, instead of overflowing and possibly returning a random but valid vnode. Noted by: Jilles Tjoelker <jilles stack nl> MFC after: 3 days Modified: head/sys/fs/fdescfs/fdesc_vnops.c Modified: head/sys/fs/fdescfs/fdesc_vnops.c ============================================================================== --- head/sys/fs/fdescfs/fdesc_vnops.c Tue May 12 07:41:20 2009 (r192011) +++ head/sys/fs/fdescfs/fdesc_vnops.c Tue May 12 09:22:33 2009 (r192012) @@ -265,7 +265,7 @@ fdesc_lookup(ap) struct thread *td = cnp->cn_thread; struct file *fp; int nlen = cnp->cn_namelen; - u_int fd; + u_int fd, fd1; int error; struct vnode *fvp; @@ -297,7 +297,12 @@ fdesc_lookup(ap) error = ENOENT; goto bad; } - fd = 10 * fd + *pname++ - '0'; + fd1 = 10 * fd + *pname++ - '0'; + if (fd1 < fd) { + error = ENOENT; + goto bad; + } + fd = fd1; } if ((error = fget(td, fd, &fp)) != 0)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200905120922.n4C9MXWv016790>