From: David Howells <dhowells@redhat.com>
Date: Tue, 13 May 2003 04:55:13 +0000 (+0000)
Subject: pioctl-buffer-size-checking-20030512
X-Git-Tag: openafs-devel-1_3_50~238
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=7cd283e55e3559a42f451cf5d5f5d9dd09d20f21;p=packages%2Fo%2Fopenafs.git

pioctl-buffer-size-checking-20030512

FIXES 1413

buffers are signed, should be checked for negative in addition to smaller than
PIGGYSIZE; also, check out buffer size before calling pioctl handler.
---

diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c
index 6963bb192..ae1f184fa 100644
--- a/src/afs/afs_pioctl.c
+++ b/src/afs/afs_pioctl.c
@@ -1066,7 +1066,11 @@ int afs_HandlePioctl(struct vnode *avp, afs_int32 acom,
 	return EINVAL;		/* out of range */
     }
     inSize = ablob->in_size;
-    if (inSize >= PIGGYSIZE) return E2BIG;
+    
+    /* Do all range checking before continuing */
+    if ((inSize >= PIGGYSIZE) || (inSize < 0)) return E2BIG;
+    if ((ablob->out_size >= PIGGYSIZE) || (ablob->out_size < 0)) return E2BIG;
+
     inData = osi_AllocLargeSpace(AFS_LRALLOCSIZ);
     if (inSize > 0) {
 	AFS_COPYIN(ablob->in, inData, inSize, code);