diff options
author | Maxim Konovalov <maxim@FreeBSD.org> | 2005-02-24 13:14:41 +0000 |
---|---|---|
committer | Maxim Konovalov <maxim@FreeBSD.org> | 2005-02-24 13:14:41 +0000 |
commit | a6d008350d0e5bf875cd4e5558e6c2ed4175cb66 (patch) | |
tree | 52717fc1fa6dd0777445d744391749a635c5e178 /sys/net/if_clone.c | |
parent | a65e9283c544e795ea027e21a62e9c9e9dd4659c (diff) | |
download | src-a6d008350d0e5bf875cd4e5558e6c2ed4175cb66.tar.gz src-a6d008350d0e5bf875cd4e5558e6c2ed4175cb66.zip |
o Move ifcr_count sanity check up and reject negative values before we
panic at kmem_alloc() via malloc(9).
PR: kern/77748
Submitted by: Wojciech A. Koszek
OK'ed by: brooks
Security: local DoS, a sample code in the PR.
MFC after: 3 days
Notes
Notes:
svn path=/head/; revision=142378
Diffstat (limited to 'sys/net/if_clone.c')
-rw-r--r-- | sys/net/if_clone.c | 9 |
1 files changed, 3 insertions, 6 deletions
diff --git a/sys/net/if_clone.c b/sys/net/if_clone.c index 389896dd0b24..7dd3d5998646 100644 --- a/sys/net/if_clone.c +++ b/sys/net/if_clone.c @@ -239,6 +239,9 @@ if_clone_list(struct if_clonereq *ifcr) struct if_clone *ifc; int buf_count, count, err = 0; + if (ifcr->ifcr_count < 0) + return (EINVAL); + IF_CLONERS_LOCK(); /* * Set our internal output buffer size. We could end up not @@ -261,12 +264,6 @@ if_clone_list(struct if_clonereq *ifcr) /* Just asking how many there are. */ goto done; } - - if (ifcr->ifcr_count < 0) { - err = EINVAL; - goto done; - } - count = (if_cloners_count < buf_count) ? if_cloners_count : buf_count; |