]> git.michaelhowe.org Git - packages/o/openafs.git/commitdiff
projects / packages / o / openafs.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c3cee1d)
pioctl-buffer-size-checking-20030512
authorDavid Howells <dhowells@redhat.com>
Tue, 13 May 2003 04:55:13 +0000 (04:55 +0000)
committerDerrick Brashear <shadow@dementia.org>
Tue, 13 May 2003 04:55:13 +0000 (04:55 +0000)
FIXES 1413

buffers are signed, should be checked for negative in addition to smaller than
PIGGYSIZE; also, check out buffer size before calling pioctl handler.

src/afs/afs_pioctl.c patch | blob | history

diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c
index 6963bb192a91ffdcc9a93bae3f4dc6378c6b3b97..ae1f184fae086a75e919524b3bacb66e6c1ac951 100644 (file)
--- a/src/afs/afs_pioctl.c
+++ b/src/afs/afs_pioctl.c
@@ -1066,7 +1066,11 @@ int afs_HandlePioctl(struct vnode *avp, afs_int32 acom,
        return EINVAL;          /* out of range */
     }
     inSize = ablob->in_size;
-    if (inSize >= PIGGYSIZE) return E2BIG;
+    
+    /* Do all range checking before continuing */
+    if ((inSize >= PIGGYSIZE) || (inSize < 0)) return E2BIG;
+    if ((ablob->out_size >= PIGGYSIZE) || (ablob->out_size < 0)) return E2BIG;
+
     inData = osi_AllocLargeSpace(AFS_LRALLOCSIZ);
     if (inSize > 0) {
        AFS_COPYIN(ablob->in, inData, inSize, code);