diff options
author | Kris Kennaway <kris@FreeBSD.org> | 2001-09-10 11:28:07 +0000 |
---|---|---|
committer | Kris Kennaway <kris@FreeBSD.org> | 2001-09-10 11:28:07 +0000 |
commit | bf61e266962ca1823db8cad0e512ca69a3480a0c (patch) | |
tree | fd84e8d4d01cdc0f4ba330211093170c75b99172 /sys/i4b | |
parent | 746b3df68f1f8030b49d60c080ab92fac77c270f (diff) | |
download | src-bf61e266962ca1823db8cad0e512ca69a3480a0c.tar.gz src-bf61e266962ca1823db8cad0e512ca69a3480a0c.zip |
Fix some signed/unsigned integer confusion, and add bounds checking of
arguments to some functions.
Obtained from: NetBSD
Reviewed by: peter
MFC after: 2 weeks
Notes
Notes:
svn path=/head/; revision=83291
Diffstat (limited to 'sys/i4b')
-rw-r--r-- | sys/i4b/include/i4b_ioctl.h | 1 | ||||
-rw-r--r-- | sys/i4b/layer4/i4b_i4bdrv.c | 7 |
2 files changed, 8 insertions, 0 deletions
diff --git a/sys/i4b/include/i4b_ioctl.h b/sys/i4b/include/i4b_ioctl.h index 9b062f1f25fc..e71c48656774 100644 --- a/sys/i4b/include/i4b_ioctl.h +++ b/sys/i4b/include/i4b_ioctl.h @@ -700,6 +700,7 @@ struct isdn_diagnostic_request { int controller; /* controller number */ u_int32_t cmd; /* diagnostic command to execute */ size_t in_param_len; /* length of additional input parameter */ +#define I4B_ACTIVE_DIAGNOSTIC_MAXPARAMLEN 65536 void *in_param; /* optional input parameter */ size_t out_param_len; /* available output space */ void *out_param; /* output data goes here */ diff --git a/sys/i4b/layer4/i4b_i4bdrv.c b/sys/i4b/layer4/i4b_i4bdrv.c index 71c200f20af2..f26adf88003a 100644 --- a/sys/i4b/layer4/i4b_i4bdrv.c +++ b/sys/i4b/layer4/i4b_i4bdrv.c @@ -859,6 +859,13 @@ download_done: if(req.in_param_len) { + /* XXX arbitrary limit */ + if (req.in_param_len > + I4B_ACTIVE_DIAGNOSTIC_MAXPARAMLEN) { + error = EINVAL; + goto diag_done; + } + req.in_param = malloc(r->in_param_len, M_DEVBUF, M_WAITOK); if(!req.in_param) |