Date: Sun, 10 Apr 2011 15:21:46 +0000 (UTC) From: Mikolaj Golub <trociny@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r220522 - head/sbin/hastd Message-ID: <201104101521.p3AFLkX6052101@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: trociny Date: Sun Apr 10 15:21:46 2011 New Revision: 220522 URL: http://svn.freebsd.org/changeset/base/220522 Log: In hast_proto_recv_data() check that the size of the data to be received does not exceed the buffer size. Approved by: pjd (mentor) MFC after: 1 week Modified: head/sbin/hastd/hast_proto.c Modified: head/sbin/hastd/hast_proto.c ============================================================================== --- head/sbin/hastd/hast_proto.c Sun Apr 10 15:11:19 2011 (r220521) +++ head/sbin/hastd/hast_proto.c Sun Apr 10 15:21:46 2011 (r220522) @@ -189,9 +189,12 @@ hast_proto_recv_data(const struct hast_r dptr = data; dsize = nv_get_uint32(nv, "size"); - if (dsize == 0) + if (dsize > size) { + errno = EINVAL; + goto end; + } else if (dsize == 0) { (void)nv_set_error(nv, 0); - else { + } else { if (proto_recv(conn, data, dsize) < 0) goto end; for (ii = sizeof(pipeline) / sizeof(pipeline[0]); ii > 0;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201104101521.p3AFLkX6052101>