diff options
author | Xin LI <delphij@FreeBSD.org> | 2010-11-05 22:18:09 +0000 |
---|---|---|
committer | Xin LI <delphij@FreeBSD.org> | 2010-11-05 22:18:09 +0000 |
commit | b97a9057c27f1ca9999503824f47ccfff1e5a772 (patch) | |
tree | c574fa491752c9b21107af56b0b020d618b9ef99 /sys/cddl/contrib/opensolaris | |
parent | 5aa39e6a7eae67fa12ce6f2146aecef4dec7666b (diff) | |
download | src-b97a9057c27f1ca9999503824f47ccfff1e5a772.tar.gz src-b97a9057c27f1ca9999503824f47ccfff1e5a772.zip |
Validate whether the zfs_cmd_t submitted from userland is not smaller than
what we have. Without the check the kernel could accessing memory that
does not belong to the request struct.
Note that we do not test if the struct equals in size at this time, which
may faciliate forward compatibility with newer binaries.
Reviewed by: pjd at MeetBSD CA '2010
MFC after: 1 week
Notes
Notes:
svn path=/head/; revision=214854
Diffstat (limited to 'sys/cddl/contrib/opensolaris')
-rw-r--r-- | sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c index 430a1b934ae5..9a68adffbd6b 100644 --- a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c +++ b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c @@ -3627,6 +3627,14 @@ zfsdev_ioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flag, uint_t vec; int error; + /* + * Check if we have sufficient kernel memory allocated + * for the zfs_cmd_t request. Bail out if not so we + * will not access undefined memory region. + */ + if (IOCPARM_LEN(cmd) < sizeof(zfs_cmd_t)) + return (EINVAL); + vec = ZFS_IOC(cmd); if (vec >= sizeof (zfs_ioc_vec) / sizeof (zfs_ioc_vec[0])) |