Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 22 Jul 2016 03:03:52 +0000 (UTC)
From:      Sean Bruno <sbruno@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject:   svn commit: r303172 - stable/10/sys/dev/hptmv
Message-ID:  <201607220303.u6M33qdk074157@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: sbruno
Date: Fri Jul 22 03:03:52 2016
New Revision: 303172
URL: https://svnweb.freebsd.org/changeset/base/303172

Log:
  MFC r298231
  hptmv(4) Fix potential buffer overflow in hpt_set_info.
  
  While here, adjust some whitespace and yeild some useful debug info.
  
  This is untested on this hardware, testing requests to -scsi went
  unanswered.

Modified:
  stable/10/sys/dev/hptmv/hptproc.c

Modified: stable/10/sys/dev/hptmv/hptproc.c
==============================================================================
--- stable/10/sys/dev/hptmv/hptproc.c	Fri Jul 22 02:11:49 2016	(r303171)
+++ stable/10/sys/dev/hptmv/hptproc.c	Fri Jul 22 03:03:52 2016	(r303172)
@@ -290,7 +290,9 @@ hpt_set_info(int length)
 			/*
         	 	 * map buffer to kernel.
         	 	 */
-        		if (piop->nInBufferSize+piop->nOutBufferSize > PAGE_SIZE) {
+        		if (piop->nInBufferSize > PAGE_SIZE ||
+        			piop->nOutBufferSize > PAGE_SIZE ||
+        			piop->nInBufferSize+piop->nOutBufferSize > PAGE_SIZE) {
         			KdPrintE(("User buffer too large\n"));
         			return -EINVAL;
         		}
@@ -301,8 +303,13 @@ hpt_set_info(int length)
 					return -EINVAL;
 				}
 
-			if (piop->nInBufferSize)
-				copyin((void*)(ULONG_PTR)piop->lpInBuffer, ke_area, piop->nInBufferSize);
+			if (piop->nInBufferSize) {
+				if (copyin((void*)(ULONG_PTR)piop->lpInBuffer, ke_area, piop->nInBufferSize) != 0) {
+					KdPrintE(("Failed to copyin from lpInBuffer\n"));
+					free(ke_area, M_DEVBUF);
+					return -EFAULT;
+				}
+			}
 
 			/*
 			  * call kernel handler.
@@ -324,7 +331,7 @@ hpt_set_info(int length)
 			else  KdPrintW(("Kernel_ioctl(): return %d\n", err));
 
 			free(ke_area, M_DEVBUF);
-            		return -EINVAL;
+			return -EINVAL;
 		} else 	{
     		KdPrintW(("Wrong signature: %x\n", piop->Magic));
     		return -EINVAL;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201607220303.u6M33qdk074157>