CVS commit: src/sys/compat/svr4

Fri, 28 Jul 2017 10:53:15 -0700 

Module Name:    src
Committed By:   riastradh
Date:           Fri Jul 28 17:52:47 UTC 2017

Modified Files:
        src/sys/compat/svr4: svr4_stream.c

Log Message:
Check bounds in svr4_sys_putmsg.  Check more svr4_strmcmd bounds.

svr4 streams code is still a disaster.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.90 -r1.91 src/sys/compat/svr4/svr4_stream.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/compat/svr4/svr4_stream.c
diff -u src/sys/compat/svr4/svr4_stream.c:1.90 src/sys/compat/svr4/svr4_stream.c:1.91
--- src/sys/compat/svr4/svr4_stream.c:1.90	Fri Jul 28 17:43:46 2017
+++ src/sys/compat/svr4/svr4_stream.c	Fri Jul 28 17:52:47 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: svr4_stream.c,v 1.90 2017/07/28 17:43:46 riastradh Exp $	 */
+/*	$NetBSD: svr4_stream.c,v 1.91 2017/07/28 17:52:47 riastradh Exp $	 */
 
 /*-
  * Copyright (c) 1994, 2008 The NetBSD Foundation, Inc.
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: svr4_stream.c,v 1.90 2017/07/28 17:43:46 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_stream.c,v 1.91 2017/07/28 17:52:47 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/kernel.h>
@@ -533,6 +533,11 @@ si_listen(file_t *fp, int fd, struct svr
 
 	if ((error = copyin(NETBSD32PTR(ioc->buf), &lst, ioc->len)) != 0)
 		return error;
+	if (lst.offs < 0 ||
+	    lst.len < 0 ||
+	    lst.len > ioc->len ||
+	    ioc->len - lst.len < lst.offs)
+		return EINVAL;
 
 	if (lst.cmd != SVR4_TI_OLD_BIND_REQUEST) {
 		DPRINTF(("si_listen: bad request %ld\n", lst.cmd));
@@ -777,7 +782,10 @@ ti_bind(file_t *fp, int fd, struct svr4_
 		DPRINTF(("ti_bind: bad request %ld\n", bnd.cmd));
 		return EINVAL;
 	}
-	if (bnd.offs < 0)
+	if (bnd.offs < 0 ||
+	    bnd.len < 0 ||
+	    bnd.len > ioc->len ||
+	    ioc->len - bnd.len < bnd.offs)
 		return EINVAL;
 
 	switch (st->s_family) {
@@ -1434,7 +1442,10 @@ svr4_sys_putmsg(struct lwp *l, const str
 
 	if ((error = copyin(NETBSD32PTR(ctl.buf), &sc, ctl.len)) != 0)
 		goto out;
-	if (sc.offs < 0) {
+	if (sc.offs < 0 ||
+	    sc.len < 0 ||
+	    sc.len > ctl.len ||
+	    sc.offs > ctl.len - sc.len) {
 		error = EINVAL;
 		goto out;
 	}
@@ -1481,8 +1492,11 @@ svr4_sys_putmsg(struct lwp *l, const str
 			*retval = 0;
 			error = 0;
 			goto out;
-		}
-		else {
+		} else if (sc.len < sizeof(dev_t[2])) {
+			*retval = 0;
+			error = EINVAL;
+			goto out;
+		} else {
 			/* Maybe we've been given a device/inode pair */
 			dev_t *dev = SVR4_ADDROF(&sc);
 			svr4_ino_t *ino = (svr4_ino_t *) &dev[1];

Reply via email to