diff options
| author | Sean Bruno <sbruno@FreeBSD.org> | 2016-05-24 13:57:23 +0000 |
|---|---|---|
| committer | Sean Bruno <sbruno@FreeBSD.org> | 2016-05-24 13:57:23 +0000 |
| commit | 6115013663a900bcab31a2e84c9a65bc6d85312f (patch) | |
| tree | e7d67e3dcf24270e17a4d03a39a29e286f4cc5c4 /sys/dev/an/if_an.c | |
| parent | 0d0da7691102c99bf37fd1cd029ffbd41af7f1d9 (diff) | |
| download | src-6115013663a900bcab31a2e84c9a65bc6d85312f.tar.gz src-6115013663a900bcab31a2e84c9a65bc6d85312f.zip | |
Reject ioctl commands for FLSHGCHR and FLSHPCHR if the size is greater
than sc->areq. This is a bounds check to ensure we're not just cramming
arbitrarily sized nonsense into the driver and overflowing the heap.
PR: 209545
Submitted by: cturt@hardenedbsd.org
MFC after: 2 weeks
Notes
Notes:
svn path=/head/; revision=300612
Diffstat (limited to 'sys/dev/an/if_an.c')
| -rw-r--r-- | sys/dev/an/if_an.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/sys/dev/an/if_an.c b/sys/dev/an/if_an.c index 4b1891d1be9d..dc3fbf2adf58 100644 --- a/sys/dev/an/if_an.c +++ b/sys/dev/an/if_an.c @@ -3749,6 +3749,9 @@ flashcard(struct ifnet *ifp, struct aironet_ioctl *l_ioctl) return ENOBUFS; break; case AIROFLSHGCHR: /* Get char from aux */ + if (l_ioctl->len > sizeof(sc->areq)) { + return -EINVAL; + } AN_UNLOCK(sc); status = copyin(l_ioctl->data, &sc->areq, l_ioctl->len); AN_LOCK(sc); @@ -3760,6 +3763,9 @@ flashcard(struct ifnet *ifp, struct aironet_ioctl *l_ioctl) else return -1; case AIROFLSHPCHR: /* Send char to card. */ + if (l_ioctl->len > sizeof(sc->areq)) { + return -EINVAL; + } AN_UNLOCK(sc); status = copyin(l_ioctl->data, &sc->areq, l_ioctl->len); AN_LOCK(sc); |