[Bug 206581] bxe_ioctl_nvram handler is faulty

bugzilla-noreply Fri, 29 Jan 2016 14:40:14 -0800

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206581


--- Comment #3 from CTurt <ct...@hardenedbsd.org> ---
To clarify my original post, the bound check is fine.

However, there is a problem that multiple parts of this code use `copyin`
without checking the result, which could possibly lead to the use of
uninitialised stack data if the `copyin` calls fail.

`bxe_ioctl_nvram`:

    copyin(ifr->ifr_data, &nvdata_base, sizeof(nvdata_base));

    ...

        copyin(ifr->ifr_data, nvdata, len);
        error = bxe_nvram_write(sc,
                                nvdata->offset,
                                (uint8_t *)nvdata->value,
                                nvdata->len);

`bxe_ioctl`:

    copyin(ifr->ifr_data, &priv_op, sizeof(priv_op));

-- 
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

[Bug 206581] bxe_ioctl_nvram handler is faulty

Reply via email to