FreeBSD Mail Archives

Date:      Fri, 3 Jun 2011 05:40:25 GMT
From:      Takuya ASADA <syuu@FreeBSD.org>
To:        Perforce Change Reviews <perforce@FreeBSD.org>
Subject:   PERFORCE change 194138 for review
Message-ID:  <201106030540.p535ePaI007341@skunkworks.freebsd.org>

next in thread | raw e-mail | index | archive | help

http://p4web.freebsd.org/@@194138?ac=10

Change 194138 by syuu@x200 on 2011/06/03 05:39:56

	index size check on ioctl

Affected files ...

.. //depot/projects/soc2011/mq_bpf/src/sys/net/bpf.c#4 edit
.. //depot/projects/soc2011/mq_bpf/src/sys/net/if_var.h#3 edit

Differences ...

==== //depot/projects/soc2011/mq_bpf/src/sys/net/bpf.c#4 (text+ko) ====

@@ -1614,7 +1614,13 @@
 				error = EINVAL;
 				break;
 			}
+			struct ifnet *const ifp = d->bd_bif->bif_ifp;
 			index = *(uint32_t *)addr;
+			if (index > ifp->if_rxq_num) {
+				log(LOG_DEBUG, "index too large\n");
+				error = EINVAL;
+				break;
+			}
 			log(LOG_DEBUG, "index:%d\n", index);
 			d->bd_qmask.qm_rxq_mask[index] = TRUE;
 			break;
@@ -1637,7 +1643,13 @@
 				error = EINVAL;
 				break;
 			}
+			struct ifnet *const ifp = d->bd_bif->bif_ifp;
 			index = *(uint32_t *)addr;
+			if (index > ifp->if_rxq_num) {
+				log(LOG_DEBUG, "index too large\n");
+				error = EINVAL;
+				break;
+			}
 			log(LOG_DEBUG, "index:%d\n", index);
 			d->bd_qmask.qm_rxq_mask[index] = FALSE;
 			break;
@@ -1660,7 +1672,13 @@
 				error = EINVAL;
 				break;
 			}
+			struct ifnet *const ifp = d->bd_bif->bif_ifp;
 			index = *(uint32_t *)addr;
+			if (index > ifp->if_rxq_num) {
+				log(LOG_DEBUG, "index too large\n");
+				error = EINVAL;
+				break;
+			}
 			log(LOG_DEBUG, "index:%d\n", index);
 			*(uint32_t *)addr = d->bd_qmask.qm_rxq_mask[index];
 			break;
@@ -1683,7 +1701,13 @@
 				error = EINVAL;
 				break;
 			}
+			struct ifnet *const ifp = d->bd_bif->bif_ifp;
 			index = *(uint32_t *)addr;
+			if (index > ifp->if_txq_num) {
+				log(LOG_DEBUG, "index too large\n");
+				error = EINVAL;
+				break;
+			}
 			log(LOG_DEBUG, "index:%d\n", index);
 			d->bd_qmask.qm_txq_mask[index] = TRUE;
 			break;
@@ -1706,7 +1730,13 @@
 				error = EINVAL;
 				break;
 			}
+			struct ifnet *const ifp = d->bd_bif->bif_ifp;
 			index = *(uint32_t *)addr;
+			if (index > ifp->if_txq_num) {
+				log(LOG_DEBUG, "index too large\n");
+				error = EINVAL;
+				break;
+			}
 			log(LOG_DEBUG, "index:%d\n", index);
 			d->bd_qmask.qm_txq_mask[index] = FALSE;
 			break;
@@ -1729,7 +1759,13 @@
 				error = EINVAL;
 				break;
 			}
+			struct ifnet *const ifp = d->bd_bif->bif_ifp;
 			index = *(uint32_t *)addr;
+			if (index > ifp->if_txq_num) {
+				log(LOG_DEBUG, "index too large\n");
+				error = EINVAL;
+				break;
+			}
 			log(LOG_DEBUG, "index:%d\n", index);
 			*(uint32_t *)addr = d->bd_qmask.qm_txq_mask[index];
 			break;

==== //depot/projects/soc2011/mq_bpf/src/sys/net/if_var.h#3 (text+ko) ====

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201106030540.p535ePaI007341>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation