diff options
author | Alexander Motin <mav@FreeBSD.org> | 2018-09-06 14:03:10 +0000 |
---|---|---|
committer | Alexander Motin <mav@FreeBSD.org> | 2018-09-06 14:03:10 +0000 |
commit | cae8b43e5cef6904f463b126577f2a192ae8750b (patch) | |
tree | 8dd6820a6521934fdfc9c0baf5dffa6c19e83bd7 /sys/cam | |
parent | 6ed134c41b565f6a4cf5610bf3abdba991aaa60d (diff) | |
download | src-cae8b43e5cef6904f463b126577f2a192ae8750b.tar.gz src-cae8b43e5cef6904f463b126577f2a192ae8750b.zip |
Add missing copyin() to access LUN and port ioctl arguments.
Somehow this was working even after PTI in, at least on amd64, and got
broken by something only very recently.
Reviewed by: araujo
Approved by: re (gjb)
Notes
Notes:
svn path=/head/; revision=338494
Diffstat (limited to 'sys/cam')
-rw-r--r-- | sys/cam/ctl/ctl.c | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/sys/cam/ctl/ctl.c b/sys/cam/ctl/ctl.c index 94bc97bc033d..2606327d3851 100644 --- a/sys/cam/ctl/ctl.c +++ b/sys/cam/ctl/ctl.c @@ -2943,8 +2943,17 @@ ctl_ioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flag, } if (lun_req->args != NULL) { - lun_req->args_nvl = nvlist_unpack(lun_req->args, + packed = malloc(lun_req->args_len, M_CTL, M_WAITOK); + if (copyin(lun_req->args, packed, lun_req->args_len) != 0) { + free(packed, M_CTL); + lun_req->status = CTL_LUN_ERROR; + snprintf(lun_req->error_str, sizeof(lun_req->error_str), + "Cannot copyin args."); + break; + } + lun_req->args_nvl = nvlist_unpack(packed, lun_req->args_len, 0); + free(packed, M_CTL); if (lun_req->args_nvl == NULL) { lun_req->status = CTL_LUN_ERROR; @@ -3211,8 +3220,17 @@ ctl_ioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flag, } if (req->args != NULL) { - req->args_nvl = nvlist_unpack(req->args, + packed = malloc(req->args_len, M_CTL, M_WAITOK); + if (copyin(req->args, packed, req->args_len) != 0) { + free(packed, M_CTL); + req->status = CTL_LUN_ERROR; + snprintf(req->error_str, sizeof(req->error_str), + "Cannot copyin args."); + break; + } + req->args_nvl = nvlist_unpack(packed, req->args_len, 0); + free(packed, M_CTL); if (req->args_nvl == NULL) { req->status = CTL_LUN_ERROR; |