Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 20 Nov 2015 14:08:12 +0000 (UTC)
From:      Edward Tomasz Napierala <trasz@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r291098 - head/sys/kern
Message-ID:  <201511201408.tAKE8CHi098896@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: trasz
Date: Fri Nov 20 14:08:12 2015
New Revision: 291098
URL: https://svnweb.freebsd.org/changeset/base/291098

Log:
  The freebsd4_getfsstat() was broken in r281551 to always return 0 on success.
  All versions of getfsstat(3) are supposed to return the number of [o]statfs
  structs in the array that was copied out.
  
  Also fix missing bounds checking and signed comparison of unsigned types.
  
  Submitted by:	bde@
  MFC after:	1 month
  Sponsored by:	The FreeBSD Foundation

Modified:
  head/sys/kern/vfs_syscalls.c

Modified: head/sys/kern/vfs_syscalls.c
==============================================================================
--- head/sys/kern/vfs_syscalls.c	Fri Nov 20 12:32:49 2015	(r291097)
+++ head/sys/kern/vfs_syscalls.c	Fri Nov 20 14:08:12 2015	(r291098)
@@ -435,6 +435,8 @@ sys_getfsstat(td, uap)
 	size_t count;
 	int error;
 
+	if (uap->bufsize < 0 || uap->bufsize > SIZE_MAX)
+		return (EINVAL);
 	error = kern_getfsstat(td, &uap->buf, uap->bufsize, &count,
 	    UIO_USERSPACE, uap->flags);
 	if (error == 0)
@@ -625,13 +627,18 @@ freebsd4_getfsstat(td, uap)
 	size_t count, size;
 	int error;
 
+	if (uap->bufsize < 0)
+		return (EINVAL);
 	count = uap->bufsize / sizeof(struct ostatfs);
+	if (count > SIZE_MAX / sizeof(struct statfs))
+		return (EINVAL);
 	size = count * sizeof(struct statfs);
 	error = kern_getfsstat(td, &buf, size, &count, UIO_SYSSPACE,
 	    uap->flags);
-	if (size > 0) {
+	td->td_retval[0] = count;
+	if (size != 0) {
 		sp = buf;
-		while (count > 0 && error == 0) {
+		while (count != 0 && error == 0) {
 			cvtstatfs(sp, &osb);
 			error = copyout(&osb, uap->buf, sizeof(osb));
 			sp++;
@@ -640,8 +647,6 @@ freebsd4_getfsstat(td, uap)
 		}
 		free(buf, M_TEMP);
 	}
-	if (error == 0)
-		td->td_retval[0] = count;
 	return (error);
 }

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201511201408.tAKE8CHi098896>