CVS commit: src/sys/coda

Tue, 20 Jul 2010 10:26:14 -0700 

Module Name:    src
Committed By:   christos
Date:           Tue Jul 20 17:26:04 UTC 2010

Modified Files:
        src/sys/coda: coda.h coda_venus.c coda_vnops.c

Log Message:
Correct incomplete size checks for the coda ioctls. From Dan Rosenberg.


To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.16 src/sys/coda/coda.h
cvs rdiff -u -r1.27 -r1.28 src/sys/coda/coda_venus.c
cvs rdiff -u -r1.75 -r1.76 src/sys/coda/coda_vnops.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/coda/coda.h
diff -u src/sys/coda/coda.h:1.15 src/sys/coda/coda.h:1.16
--- src/sys/coda/coda.h:1.15	Mon Sep 28 06:51:35 2009
+++ src/sys/coda/coda.h	Tue Jul 20 13:26:03 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: coda.h,v 1.15 2009/09/28 10:51:35 blymn Exp $ */
+/* $NetBSD: coda.h,v 1.16 2010/07/20 17:26:03 christos Exp $ */
 
 /*
 
@@ -793,8 +793,8 @@
 #define PIOCPARM_MASK 0x0000ffff
 struct ViceIoctl {
         void *in, *out;		/* Data to be transferred in, or out */
-        short in_size;          /* Size of input buffer <= 2K */
-        short out_size;         /* Maximum size of output buffer, <= 2K */
+        unsigned short in_size; /* Size of input buffer <= 2K */
+        unsigned short out_size;/* Maximum size of output buffer, <= 2K */
 };
 
 struct PioctlData {

Index: src/sys/coda/coda_venus.c
diff -u src/sys/coda/coda_venus.c:1.27 src/sys/coda/coda_venus.c:1.28
--- src/sys/coda/coda_venus.c:1.27	Sat Apr 18 10:58:02 2009
+++ src/sys/coda/coda_venus.c	Tue Jul 20 13:26:03 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: coda_venus.c,v 1.27 2009/04/18 14:58:02 tsutsui Exp $	*/
+/*	$NetBSD: coda_venus.c,v 1.28 2010/07/20 17:26:03 christos Exp $	*/
 
 /*
  *
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: coda_venus.c,v 1.27 2009/04/18 14:58:02 tsutsui Exp $");
+__KERNEL_RCSID(0, "$NetBSD: coda_venus.c,v 1.28 2010/07/20 17:26:03 christos Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -308,7 +308,7 @@
     tmp = ((com >> 16) & IOCPARM_MASK) - sizeof (char *) - sizeof (int);
     inp->cmd |= (tmp & IOCPARM_MASK) <<	16;
 
-    if (iap->vi.in_size < 0 || iap->vi.in_size > VC_MAXMSGSIZE) {
+    if (iap->vi.in_size > VC_MAXMSGSIZE || iap->vi.out_size > VC_MAXMSGSIZE) {
 	CODA_FREE(inp, coda_ioctl_size);
 	return (EINVAL);
     }

Index: src/sys/coda/coda_vnops.c
diff -u src/sys/coda/coda_vnops.c:1.75 src/sys/coda/coda_vnops.c:1.76
--- src/sys/coda/coda_vnops.c:1.75	Thu Jul  1 09:00:54 2010
+++ src/sys/coda/coda_vnops.c	Tue Jul 20 13:26:03 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: coda_vnops.c,v 1.75 2010/07/01 13:00:54 hannken Exp $	*/
+/*	$NetBSD: coda_vnops.c,v 1.76 2010/07/20 17:26:03 christos Exp $	*/
 
 /*
  *
@@ -46,7 +46,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: coda_vnops.c,v 1.75 2010/07/01 13:00:54 hannken Exp $");
+__KERNEL_RCSID(0, "$NetBSD: coda_vnops.c,v 1.76 2010/07/20 17:26:03 christos Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -539,7 +539,7 @@
 	return(EINVAL);
     }
 
-    if (iap->vi.in_size > VC_MAXDATASIZE) {
+    if (iap->vi.in_size > VC_MAXDATASIZE || iap->vi.out_size > VC_MAXDATASIZE) {
 	vrele(tvp);
 	return(EINVAL);
     }

Reply via email to