svn commit: r308250 - head/sys/cam/ctl

[Edward Tomasz Napierala]

Author: trasz
Date: Thu Nov  3 10:11:59 2016
New Revision: 308250
URL: https://svnweb.freebsd.org/changeset/base/308250

Log:
  Check for lengths being <= 0.  Note that this interface can only
  be accessed by root.  It uses unsigned ints instead of size_t
  to preserve the ABI.
  
  PR:           207627
  Submitted by: r...@ryanday.net (with slight tweaks)
  MFC after:    1 month

Modified:
  head/sys/cam/ctl/ctl.c
  head/sys/cam/ctl/ctl_ioctl.h

Modified: head/sys/cam/ctl/ctl.c
==============================================================================
--- head/sys/cam/ctl/ctl.c      Thu Nov  3 09:51:25 2016        (r308249)
+++ head/sys/cam/ctl/ctl.c      Thu Nov  3 10:11:59 2016        (r308250)
@@ -2370,7 +2370,7 @@ ctl_ioctl_fill_ooa(struct ctl_lun *lun, 
 }
 
 static void *
-ctl_copyin_alloc(void *user_addr, int len, char *error_str,
+ctl_copyin_alloc(void *user_addr, unsigned int len, char *error_str,
                 size_t error_str_len)
 {
        void *kptr;
@@ -2425,6 +2425,12 @@ ctl_copyin_args(int num_args, struct ctl
        for (i = 0; i < num_args; i++) {
                uint8_t *tmpptr;
 
+               if (args[i].namelen == 0) {
+                       snprintf(error_str, error_str_len, "Argument %d "
+                                "name length is zero", i);
+                       goto bailout;
+               }
+
                args[i].kname = ctl_copyin_alloc(args[i].name,
                        args[i].namelen, error_str, error_str_len);
                if (args[i].kname == NULL)
@@ -2437,10 +2443,17 @@ ctl_copyin_args(int num_args, struct ctl
                }
 
                if (args[i].flags & CTL_BEARG_RD) {
+                       if (args[i].vallen == 0) {
+                               snprintf(error_str, error_str_len, "Argument %d 
"
+                                        "value length is zero", i);
+                               goto bailout;
+                       }
+
                        tmpptr = ctl_copyin_alloc(args[i].value,
                                args[i].vallen, error_str, error_str_len);
                        if (tmpptr == NULL)
                                goto bailout;
+
                        if ((args[i].flags & CTL_BEARG_ASCII)
                         && (tmpptr[args[i].vallen - 1] != '\0')) {
                                snprintf(error_str, error_str_len, "Argument "

Modified: head/sys/cam/ctl/ctl_ioctl.h
==============================================================================
--- head/sys/cam/ctl/ctl_ioctl.h        Thu Nov  3 09:51:25 2016        
(r308249)
+++ head/sys/cam/ctl/ctl_ioctl.h        Thu Nov  3 10:11:59 2016        
(r308250)
@@ -317,20 +317,20 @@ typedef enum {
  *
  * flags:      Flags for the parameter, see above for values.
  *
- * vallen:     Length of the value in bytes.
+ * vallen:     Length of the value in bytes, including the terminating NUL.
  *
- * value:      Value to be set/fetched.
+ * value:      Value to be set/fetched. This must be NUL-terminated.
  *
  * kname:      For kernel use only.
  *
  * kvalue:     For kernel use only.
  */
 struct ctl_be_arg {
-       int     namelen;
-       char    *name;
-       int     flags;
-       int     vallen;
-       void    *value;
+       unsigned int    namelen;
+       char            *name;
+       int             flags;
+       unsigned int    vallen;
+       void            *value;
 
        char    *kname;
        void    *kvalue;
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"