Author: davidcs
Date: Fri Nov 15 01:44:58 2013
New Revision: 258156
URL: http://svnweb.freebsd.org/changeset/base/258156
Log:
Validate the buffer and its length passed to QLA_MPI_DUMP.
copyout dump only if qls_mpi_core_dump() is successful.
(like to credit x90c for pointing the issue)
Submitted by:David C Somayajulu
Modified:
head/sys/dev/qlxge/qls_ioctl.c
Modified: head/sys/dev/qlxge/qls_ioctl.c
==============================================================================
--- head/sys/dev/qlxge/qls_ioctl.c Fri Nov 15 01:26:24 2013
(r258155)
+++ head/sys/dev/qlxge/qls_ioctl.c Fri Nov 15 01:44:58 2013
(r258156)
@@ -100,13 +100,16 @@ qls_eioctl(struct cdev *dev, u_long cmd,
if (mpi_dump->size == 0) {
mpi_dump->size = sizeof (qls_mpi_coredump_t);
} else {
- if (mpi_dump->size < sizeof (qls_mpi_coredump_t))
+ if ((mpi_dump->size != sizeof (qls_mpi_coredump_t)) ||
+ (mpi_dump->dbuf == NULL))
rval = EINVAL;
else {
- qls_mpi_core_dump(ha);
- rval = copyout( &ql_mpi_coredump,
- mpi_dump->dbuf,
- mpi_dump->size);
+ if (qls_mpi_core_dump(ha) == 0) {
+ rval = copyout(&ql_mpi_coredump,
+ mpi_dump->dbuf,
+ mpi_dump->size);
+ } else
+ rval = ENXIO;
if (rval) {
device_printf(ha->pci_dev,
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
