Author: delphij
Date: Fri Nov 5 22:18:09 2010
New Revision: 214854
URL: http://svn.freebsd.org/changeset/base/214854
Log:
Validate whether the zfs_cmd_t submitted from userland is not smaller than
what we have. Without the check the kernel could accessing memory that
does not belong to the request struct.
Note that we do not test if the struct equals in size at this time, which
may faciliate forward compatibility with newer binaries.
Reviewed by: pjd at MeetBSD CA '2010
MFC after: 1 week
Modified:
head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c
Modified: head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c
==============================================================================
--- head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c Fri Nov
5 21:47:58 2010 (r214853)
+++ head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c Fri Nov
5 22:18:09 2010 (r214854)
@@ -3627,6 +3627,14 @@ zfsdev_ioctl(struct cdev *dev, u_long cm
uint_t vec;
int error;
+ /*
+ * Check if we have sufficient kernel memory allocated
+ * for the zfs_cmd_t request. Bail out if not so we
+ * will not access undefined memory region.
+ */
+ if (IOCPARM_LEN(cmd) < sizeof(zfs_cmd_t))
+ return (EINVAL);
+
vec = ZFS_IOC(cmd);
if (vec >= sizeof (zfs_ioc_vec) / sizeof (zfs_ioc_vec[0]))
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
