diff options
author | Chuck Lever <cel@FreeBSD.org> | 2006-05-13 00:16:35 +0000 |
---|---|---|
committer | Chuck Lever <cel@FreeBSD.org> | 2006-05-13 00:16:35 +0000 |
commit | 5f396e80f058ac6c7aacb8ecd279c08a3abafec2 (patch) | |
tree | a65145043677ccf29ba1db523a7a6c213063f4f0 | |
parent | ace86f3f275d811038495d84292148522966750f (diff) | |
download | src-5f396e80f058ac6c7aacb8ecd279c08a3abafec2.tar.gz src-5f396e80f058ac6c7aacb8ecd279c08a3abafec2.zip |
Add better sanity checking to the logic that handles ioctl processing
for nfsclient and nfs4client in order to prevent local root users
from panicing the system.
PR: kern/77463
Submitted by: Wojciech A. Koszek
Reviewed by: cel, rees
MFC after: 2 weeks
Security: Local root users can panic the system at will
Notes
Notes:
svn path=/head/; revision=158505
-rw-r--r-- | sys/nfs4client/nfs4_dev.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/sys/nfs4client/nfs4_dev.c b/sys/nfs4client/nfs4_dev.c index 7f780a9f4213..35276d350f12 100644 --- a/sys/nfs4client/nfs4_dev.c +++ b/sys/nfs4client/nfs4_dev.c @@ -152,11 +152,12 @@ nfs4dev_reply(caddr_t addr) return EINVAL; } - if (m->msg_len == 0 || m->msg_len > NFS4DEV_MSG_MAX_DATALEN) { + if (m->msg_len < sizeof(*m) - NFS4DEV_MSG_MAX_DATALEN || + m->msg_len > NFS4DEV_MSG_MAX_DATALEN) { NFS4DEV_DEBUG("bad message length\n"); return EINVAL; } - + /* match the reply with a request */ mtx_lock(&nfs4dev_waitq_mtx); TAILQ_FOREACH(u, &nfs4dev_waitq, up_entry) { @@ -197,8 +198,10 @@ found: return 0; bad: - u->up_error = error; - wakeup(u); + if (u) { + u->up_error = error; + wakeup(u); + } return error; } |