]> git.michaelhowe.org Git - packages/o/openafs.git/commitdiff
projects / packages / o / openafs.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bdbfda3)
STABLE12-pioctl-buffer-size-checking-20030512
authorDavid Howells <dhowells@redhat.com>
Thu, 15 May 2003 16:12:15 +0000 (16:12 +0000)
committerDerrick Brashear <shadow@dementia.org>
Thu, 15 May 2003 16:12:15 +0000 (16:12 +0000)
FIXES 1413

buffers are signed, should be checked for negative in addition to smaller than
PIGGYSIZE; also, check out buffer size before calling pioctl handler.

(cherry picked from commit 7cd283e55e3559a42f451cf5d5f5d9dd09d20f21)

src/afs/afs_pioctl.c patch | blob | history

diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c
index 1b8912454da5eb7015717df0021d1d404b029a27..bbe233f0a7b472406e92216c8d1a7ed0f8526c32 100644 (file)
--- a/src/afs/afs_pioctl.c
+++ b/src/afs/afs_pioctl.c
@@ -1084,7 +1084,11 @@ afs_HandlePioctl(avc, acom, ablob, afollow, acred)
        return EINVAL;  /* out of range */
     }
     inSize = ablob->in_size;
-    if (inSize >= PIGGYSIZE) return E2BIG;
+    
+    /* Do all range checking before continuing */
+    if ((inSize >= PIGGYSIZE) || (inSize < 0)) return E2BIG;
+    if ((ablob->out_size >= PIGGYSIZE) || (ablob->out_size < 0)) return E2BIG;
+
     inData = osi_AllocLargeSpace(AFS_LRALLOCSIZ);
     if (inSize > 0) {
       AFS_COPYIN(ablob->in, inData, inSize, code);