svn commit: r328315 - head/sys/dev/cxgb

Tue, 23 Jan 2018 21:17:12 -0800 

Author: np
Date: Wed Jan 24 05:16:11 2018
New Revision: 328315
URL: https://svnweb.freebsd.org/changeset/base/328315

Log:
  cxgb(4): Validate offset/len in the GET_EEPROM ioctl.
  
  Reported by:  Ilja Van Sprundel <ivansprun...@ioactive.com>

Modified:
  head/sys/dev/cxgb/cxgb_main.c

Modified: head/sys/dev/cxgb/cxgb_main.c
==============================================================================
--- head/sys/dev/cxgb/cxgb_main.c       Wed Jan 24 05:09:21 2018        
(r328314)
+++ head/sys/dev/cxgb/cxgb_main.c       Wed Jan 24 05:16:11 2018        
(r328315)
@@ -2958,8 +2958,14 @@ cxgb_extension_ioctl(struct cdev *dev, unsigned long c
        case CHELSIO_GET_EEPROM: {
                int i;
                struct ch_eeprom *e = (struct ch_eeprom *)data;
-               uint8_t *buf = malloc(EEPROMSIZE, M_DEVBUF, M_NOWAIT);
+               uint8_t *buf;
 
+               if (e->offset & 3 || e->offset >= EEPROMSIZE ||
+                   e->len > EEPROMSIZE || e->offset + e->len > EEPROMSIZE) {
+                       return (EINVAL);
+               }
+
+               buf = malloc(EEPROMSIZE, M_DEVBUF, M_NOWAIT);
                if (buf == NULL) {
                        return (ENOMEM);
                }
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to