Site Navigation

Date:      Sat, 21 Dec 2019 18:50:25 +0000 (UTC)
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org
Subject:   svn commit: r355984 - stable/12/sys/dev/oce
Message-ID:  <201912211850.xBLIoPko055555@repo.freebsd.org>

---

next in thread | raw e-mail | index | archive | help

---

Author: markj
Date: Sat Dec 21 18:50:25 2019
New Revision: 355984
URL: https://svnweb.freebsd.org/changeset/base/355984

Log:
  MFC r355885:
  oce: Tighten input validation in the SIOCGI2C handler.

Modified:
  stable/12/sys/dev/oce/oce_if.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/sys/dev/oce/oce_if.c
==============================================================================
--- stable/12/sys/dev/oce/oce_if.c	Sat Dec 21 16:16:43 2019	(r355983)
+++ stable/12/sys/dev/oce/oce_if.c	Sat Dec 21 18:50:25 2019	(r355984)
@@ -593,27 +593,26 @@ oce_ioctl(struct ifnet *ifp, u_long command, caddr_t d
 		if (rc)
 			break;
 
-		if (i2c.dev_addr != PAGE_NUM_A0 &&
-		    i2c.dev_addr != PAGE_NUM_A2) {
+		if (i2c.dev_addr == PAGE_NUM_A0) {
+			offset = i2c.offset;
+		} else if (i2c.dev_addr == PAGE_NUM_A2) {
+			offset = TRANSCEIVER_A0_SIZE + i2c.offset;
+		} else {
 			rc = EINVAL;
 			break;
 		}
 
-		if (i2c.len > sizeof(i2c.data)) {
+		if (i2c.len > sizeof(i2c.data) ||
+		    i2c.len + offset > sizeof(sfp_vpd_dump_buffer)) {
 			rc = EINVAL;
 			break;
 		}
 
 		rc = oce_mbox_read_transrecv_data(sc, i2c.dev_addr);
-		if(rc) {
+		if (rc) {
 			rc = -rc;
 			break;
 		}
-
-		if (i2c.dev_addr == PAGE_NUM_A0)
-			offset = i2c.offset;
-		else
-			offset = TRANSCEIVER_A0_SIZE + i2c.offset;
 
 		memcpy(&i2c.data[0], &sfp_vpd_dump_buffer[offset], i2c.len);
 

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201912211850.xBLIoPko055555>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact