diff options
| author | Gleb Smirnoff <glebius@FreeBSD.org> | 2012-01-26 11:59:48 +0000 |
|---|---|---|
| committer | Gleb Smirnoff <glebius@FreeBSD.org> | 2012-01-26 11:59:48 +0000 |
| commit | 434ea137cc932f9af59b58a3c0881a6832b70061 (patch) | |
| tree | da21e38138b7c4f0da32f18d3d36b6a3b2184b42 /sys/kern/vfs_aio.c | |
| parent | 2930db16a08e1de79d5aaf5a9dccef29a1e49d3f (diff) | |
| download | src-434ea137cc932f9af59b58a3c0881a6832b70061.tar.gz src-434ea137cc932f9af59b58a3c0881a6832b70061.zip | |
Although aio_nbytes is size_t, later is is signed to
casted types: to ssize_t in filesystem code and to
int in buf code, thus supplying a negative argument
leads to kernel panic later. To fix that check user
supplied argument in the beginning of syscall.
Submitted by: Maxim Dounin <mdounin mdounin.ru>, maxim@
Notes
Notes:
svn path=/head/; revision=230583
Diffstat (limited to 'sys/kern/vfs_aio.c')
| -rw-r--r-- | sys/kern/vfs_aio.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/sys/kern/vfs_aio.c b/sys/kern/vfs_aio.c index 7af9f552a417..fe682d870d87 100644 --- a/sys/kern/vfs_aio.c +++ b/sys/kern/vfs_aio.c @@ -1552,6 +1552,12 @@ aio_aqueue(struct thread *td, struct aiocb *job, struct aioliojob *lj, return (error); } + /* XXX: aio_nbytes is later casted to signed types. */ + if ((int)aiocbe->uaiocb.aio_nbytes < 0) { + uma_zfree(aiocb_zone, aiocbe); + return (EINVAL); + } + if (aiocbe->uaiocb.aio_sigevent.sigev_notify != SIGEV_KEVENT && aiocbe->uaiocb.aio_sigevent.sigev_notify != SIGEV_SIGNAL && aiocbe->uaiocb.aio_sigevent.sigev_notify != SIGEV_THREAD_ID && |