From owner-svn-src-all@freebsd.org Tue Feb 19 21:33:03 2019 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 314FC14DA588; Tue, 19 Feb 2019 21:33:03 +0000 (UTC) (envelope-from markj@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C96CF751A7; Tue, 19 Feb 2019 21:33:02 +0000 (UTC) (envelope-from markj@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BCA8E23A43; Tue, 19 Feb 2019 21:33:02 +0000 (UTC) (envelope-from markj@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x1JLX27Q017462; Tue, 19 Feb 2019 21:33:02 GMT (envelope-from markj@FreeBSD.org) Received: (from markj@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x1JLX20V017461; Tue, 19 Feb 2019 21:33:02 GMT (envelope-from markj@FreeBSD.org) Message-Id: <201902192133.x1JLX20V017461@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: markj set sender to markj@FreeBSD.org using -f From: Mark Johnston Date: Tue, 19 Feb 2019 21:33:02 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r344307 - head/sys/geom X-SVN-Group: head X-SVN-Commit-Author: markj X-SVN-Commit-Paths: head/sys/geom X-SVN-Commit-Revision: 344307 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: C96CF751A7 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.94 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.95)[-0.945,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-0.999,0] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Feb 2019 21:33:03 -0000 Author: markj Date: Tue Feb 19 21:33:02 2019 New Revision: 344307 URL: https://svnweb.freebsd.org/changeset/base/344307 Log: Limit the number of entries allocated for a REPORT_ZONES command. The DIOCGETZONE ioctl can be used to fetch the zone list of an SMR drive, and the caller specifies the number of entries it wants to fetch. Clamp the caller's request to a sane limit so that a user cannot attempt large allocations. Callers already need to invoke the ioctl multiple times to fetch the full list in general, so there's no harm in limiting the number of entries returned. Fix style while here. admbug: 807 Reported by: Ilja Van Sprundel Reviewed by: asomers, ken Tested by: ken MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D19249 Modified: head/sys/geom/geom_dev.c Modified: head/sys/geom/geom_dev.c ============================================================================== --- head/sys/geom/geom_dev.c Tue Feb 19 21:27:30 2019 (r344306) +++ head/sys/geom/geom_dev.c Tue Feb 19 21:33:02 2019 (r344307) @@ -677,8 +677,10 @@ g_dev_ioctl(struct cdev *dev, u_long cmd, caddr_t data alloc_size = 0; if (zone_args->zone_cmd == DISK_ZONE_REPORT_ZONES) { - rep = &zone_args->zone_params.report; +#define MAXENTRIES (MAXPHYS / sizeof(struct disk_zone_rep_entry)) + if (rep->entries_allocated > MAXENTRIES) + rep->entries_allocated = MAXENTRIES; alloc_size = rep->entries_allocated * sizeof(struct disk_zone_rep_entry); if (alloc_size != 0) @@ -688,15 +690,11 @@ g_dev_ioctl(struct cdev *dev, u_long cmd, caddr_t data rep->entries = new_entries; } error = g_io_zonecmd(zone_args, cp); - if ((zone_args->zone_cmd == DISK_ZONE_REPORT_ZONES) - && (alloc_size != 0) - && (error == 0)) { + if (zone_args->zone_cmd == DISK_ZONE_REPORT_ZONES && + alloc_size != 0 && error == 0) error = copyout(new_entries, old_entries, alloc_size); - } - if ((old_entries != NULL) - && (rep != NULL)) + if (old_entries != NULL && rep != NULL) rep->entries = old_entries; - if (new_entries != NULL) g_free(new_entries); break;