Module Name: src
Committed By: riastradh
Date: Fri Jul 28 14:45:59 UTC 2017
Modified Files:
src/sys/netsmb: smb_dev.c
Log Message:
Reject negative offset/count for smb read/write.
Not clear that this is actually a problem for the kernel -- might
overwrite user's buffers or return garbage to user, but that's their
own damn fault. But it's hard to imagine that negative offset/count
ever makes sense, and I haven't ruled out a problem for the kernel.
To generate a diff of this commit:
cvs rdiff -u -r1.49 -r1.50 src/sys/netsmb/smb_dev.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netsmb/smb_dev.c
diff -u src/sys/netsmb/smb_dev.c:1.49 src/sys/netsmb/smb_dev.c:1.50
--- src/sys/netsmb/smb_dev.c:1.49 Mon Jul 18 21:03:01 2016
+++ src/sys/netsmb/smb_dev.c Fri Jul 28 14:45:59 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: smb_dev.c,v 1.49 2016/07/18 21:03:01 pgoyette Exp $ */
+/* $NetBSD: smb_dev.c,v 1.50 2017/07/28 14:45:59 riastradh Exp $ */
/*
* Copyright (c) 2000-2001 Boris Popov
@@ -35,7 +35,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: smb_dev.c,v 1.49 2016/07/18 21:03:01 pgoyette Exp $");
+__KERNEL_RCSID(0, "$NetBSD: smb_dev.c,v 1.50 2017/07/28 14:45:59 riastradh Exp $");
#include <sys/param.h>
#include <sys/kernel.h>
@@ -345,6 +345,8 @@ nsmb_dev_ioctl(dev_t dev, u_long cmd, vo
struct uio auio;
struct iovec iov;
+ if (rwrq->ioc_cnt < 0 || rwrq->ioc_offset < 0)
+ return EINVAL;
if ((ssp = sdp->sd_share) == NULL)
return ENOTCONN;
iov.iov_base = rwrq->ioc_base;
