1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
--- sys/dev/mpr/mpr_user.c.orig
+++ sys/dev/mpr/mpr_user.c
@@ -2266,6 +2266,10 @@
mpr_unlock(sc);
break;
case MPRIO_READ_CFG_PAGE:
+ if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) {
+ error = EINVAL;
+ break;
+ }
mpr_page = malloc(page_req->len, M_MPRUSER, M_WAITOK | M_ZERO);
error = copyin(page_req->buf, mpr_page,
sizeof(MPI2_CONFIG_PAGE_HEADER));
@@ -2284,6 +2288,11 @@
mpr_unlock(sc);
break;
case MPRIO_READ_EXT_CFG_PAGE:
+ if (ext_page_req->len <
+ (int)sizeof(MPI2_CONFIG_EXTENDED_PAGE_HEADER)) {
+ error = EINVAL;
+ break;
+ }
mpr_page = malloc(ext_page_req->len, M_MPRUSER,
M_WAITOK | M_ZERO);
error = copyin(ext_page_req->buf, mpr_page,
@@ -2298,6 +2307,10 @@
error = copyout(mpr_page, ext_page_req->buf, ext_page_req->len);
break;
case MPRIO_WRITE_CFG_PAGE:
+ if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) {
+ error = EINVAL;
+ break;
+ }
mpr_page = malloc(page_req->len, M_MPRUSER, M_WAITOK|M_ZERO);
error = copyin(page_req->buf, mpr_page, page_req->len);
if (error)
--- sys/dev/mps/mps_user.c.orig
+++ sys/dev/mps/mps_user.c
@@ -2168,6 +2168,10 @@
mps_unlock(sc);
break;
case MPSIO_READ_CFG_PAGE:
+ if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) {
+ error = EINVAL;
+ break;
+ }
mps_page = malloc(page_req->len, M_MPSUSER, M_WAITOK | M_ZERO);
error = copyin(page_req->buf, mps_page,
sizeof(MPI2_CONFIG_PAGE_HEADER));
@@ -2186,6 +2190,11 @@
mps_unlock(sc);
break;
case MPSIO_READ_EXT_CFG_PAGE:
+ if (ext_page_req->len <
+ (int)sizeof(MPI2_CONFIG_EXTENDED_PAGE_HEADER)) {
+ error = EINVAL;
+ break;
+ }
mps_page = malloc(ext_page_req->len, M_MPSUSER, M_WAITOK|M_ZERO);
error = copyin(ext_page_req->buf, mps_page,
sizeof(MPI2_CONFIG_EXTENDED_PAGE_HEADER));
@@ -2199,6 +2208,10 @@
error = copyout(mps_page, ext_page_req->buf, ext_page_req->len);
break;
case MPSIO_WRITE_CFG_PAGE:
+ if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) {
+ error = EINVAL;
+ break;
+ }
mps_page = malloc(page_req->len, M_MPSUSER, M_WAITOK|M_ZERO);
error = copyin(page_req->buf, mps_page, page_req->len);
if (error)
--- sys/dev/mpt/mpt_user.c.orig
+++ sys/dev/mpt/mpt_user.c
@@ -672,6 +672,10 @@
case MPTIO_READ_CFG_PAGE32:
#endif
case MPTIO_READ_CFG_PAGE:
+ if (page_req->len < (int)sizeof(CONFIG_PAGE_HEADER)) {
+ error = EINVAL;
+ break;
+ }
error = mpt_alloc_buffer(mpt, &mpt_page, page_req->len);
if (error)
break;
@@ -698,6 +702,11 @@
case MPTIO_READ_EXT_CFG_PAGE32:
#endif
case MPTIO_READ_EXT_CFG_PAGE:
+ if (ext_page_req->len <
+ (int)sizeof(CONFIG_EXTENDED_PAGE_HEADER)) {
+ error = EINVAL;
+ break;
+ }
error = mpt_alloc_buffer(mpt, &mpt_page, ext_page_req->len);
if (error)
break;
@@ -717,6 +726,10 @@
case MPTIO_WRITE_CFG_PAGE32:
#endif
case MPTIO_WRITE_CFG_PAGE:
+ if (page_req->len < (int)sizeof(CONFIG_PAGE_HEADER)) {
+ error = EINVAL;
+ break;
+ }
error = mpt_alloc_buffer(mpt, &mpt_page, page_req->len);
if (error)
break;
|
