Author: kib
Date: Wed Aug 10 13:50:21 2016
New Revision: 303916
URL: https://svnweb.freebsd.org/changeset/base/303916
Log:
Convert another tmpfs assert into runtime check.
The offset of the directory file, passed to getdirentries(2) syscall,
is user-controllable. The value of the offset must not be asserted,
instead the invalid value should be checked and rejected if invalid.
Reported and tested by: pho
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Modified:
head/sys/fs/tmpfs/tmpfs_subr.c
Modified: head/sys/fs/tmpfs/tmpfs_subr.c
==============================================================================
--- head/sys/fs/tmpfs/tmpfs_subr.c Wed Aug 10 13:49:17 2016
(r303915)
+++ head/sys/fs/tmpfs/tmpfs_subr.c Wed Aug 10 13:50:21 2016
(r303916)
@@ -819,10 +819,13 @@ tmpfs_dir_lookup_cookie(struct tmpfs_nod
goto out;
}
- MPASS((cookie & TMPFS_DIRCOOKIE_MASK) == cookie);
- dekey.td_hash = cookie;
- /* Recover if direntry for cookie was removed */
- de = RB_NFIND(tmpfs_dir, dirhead, &dekey);
+ if ((cookie & TMPFS_DIRCOOKIE_MASK) != cookie) {
+ de = NULL;
+ } else {
+ dekey.td_hash = cookie;
+ /* Recover if direntry for cookie was removed */
+ de = RB_NFIND(tmpfs_dir, dirhead, &dekey);
+ }
dc->tdc_tree = de;
dc->tdc_current = de;
if (de != NULL && tmpfs_dirent_duphead(de)) {
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
