From 8dd04cdcd72f3f105d237d1d85527888757e4ecf Mon Sep 17 00:00:00 2001 From: itojun Date: Sat, 3 Aug 2002 00:12:48 +0000 Subject: [PATCH] correct range check, have overflow check, fix type mismatches, for cmap args and some other calls. from openbsd --- sys/arch/amiga/dev/grf_cl.c | 8 ++-- sys/arch/amiga/dev/grf_cv.c | 8 ++-- sys/arch/amiga/dev/grf_et.c | 8 ++-- sys/arch/amiga/dev/grf_rh.c | 8 ++-- sys/arch/amiga/dev/grf_rt.c | 8 ++-- sys/arch/amiga/dev/grf_ul.c | 8 ++-- sys/arch/amiga/dev/view.c | 6 ++- sys/arch/hp300/hp300/hpux_machdep.c | 7 ++- sys/arch/i386/i386/sys_machdep.c | 7 +-- sys/arch/sparc/dev/cgfourteen.c | 72 ++++++++++++++--------------- sys/arch/sparc/dev/cgtwo.c | 6 +-- sys/arch/sun3/dev/bt_subr.c | 6 +-- sys/arch/sun3/dev/cg2.c | 6 +-- sys/arch/sun3/dev/cg4.c | 14 +++--- sys/compat/hpux/hpux_compat.c | 15 +++--- sys/compat/ibcs2/ibcs2_stat.c | 9 +++- sys/dev/ic/bt463.c | 13 +++--- sys/dev/ic/bt485.c | 12 ++--- sys/dev/ic/ibm561.c | 16 +++---- sys/dev/ic/igsfb.c | 8 ++-- sys/ufs/lfs/lfs_syscalls.c | 8 +++- 21 files changed, 135 insertions(+), 118 deletions(-) diff --git a/sys/arch/amiga/dev/grf_cl.c b/sys/arch/amiga/dev/grf_cl.c index 5e8471ecf4a8..2ecd55438cbc 100644 --- a/sys/arch/amiga/dev/grf_cl.c +++ b/sys/arch/amiga/dev/grf_cl.c @@ -1,4 +1,4 @@ -/* $NetBSD: grf_cl.c,v 1.30 2002/05/14 00:08:21 matt Exp $ */ +/* $NetBSD: grf_cl.c,v 1.31 2002/08/03 00:12:53 itojun Exp $ */ /* * Copyright (c) 1997 Klaus Burkert @@ -36,7 +36,7 @@ #include "opt_amigacons.h" #include -__KERNEL_RCSID(0, "$NetBSD: grf_cl.c,v 1.30 2002/05/14 00:08:21 matt Exp $"); +__KERNEL_RCSID(0, "$NetBSD: grf_cl.c,v 1.31 2002/08/03 00:12:53 itojun Exp $"); #include "grfcl.h" #if NGRFCL > 0 @@ -1100,7 +1100,7 @@ cl_getcmap(gfp, cmap) if (cmap->count == 0 || cmap->index >= 256) return 0; - if (cmap->index + cmap->count > 256) + if (cmap->count > 256 - cmap->index) cmap->count = 256 - cmap->index; ba = gfp->g_regkva; @@ -1168,7 +1168,7 @@ cl_putcmap(gfp, cmap) if (cmap->count == 0 || cmap->index >= 256) return (0); - if (cmap->index + cmap->count > 256) + if (cmap->count > 256 - cmap->index) cmap->count = 256 - cmap->index; /* first copy the colors into kernelspace */ diff --git a/sys/arch/amiga/dev/grf_cv.c b/sys/arch/amiga/dev/grf_cv.c index caea39fc70dd..8ecaa36059c6 100644 --- a/sys/arch/amiga/dev/grf_cv.c +++ b/sys/arch/amiga/dev/grf_cv.c @@ -1,4 +1,4 @@ -/* $NetBSD: grf_cv.c,v 1.30 2002/03/17 19:40:28 atatat Exp $ */ +/* $NetBSD: grf_cv.c,v 1.31 2002/08/03 00:12:54 itojun Exp $ */ /* * Copyright (c) 1995 Michael Teske @@ -33,7 +33,7 @@ #include "opt_amigacons.h" #include -__KERNEL_RCSID(0, "$NetBSD: grf_cv.c,v 1.30 2002/03/17 19:40:28 atatat Exp $"); +__KERNEL_RCSID(0, "$NetBSD: grf_cv.c,v 1.31 2002/08/03 00:12:54 itojun Exp $"); #include "grfcv.h" #if NGRFCV > 0 @@ -1047,7 +1047,7 @@ cv_getcmap(struct grf_softc *gfp, struct grf_colormap *cmap) if (cmap->count == 0 || cmap->index >= 256) return (0); - if (cmap->index + cmap->count > 256) + if (cmap->count > 256 - cmap->index) cmap->count = 256 - cmap->index; /* first read colors out of the chip, then copyout to userspace */ @@ -1085,7 +1085,7 @@ cv_putcmap(struct grf_softc *gfp, struct grf_colormap *cmap) if (cmap->count == 0 || cmap->index >= 256) return (0); - if (cmap->index + cmap->count > 256) + if (cmap->count > 256 - cmap->index) cmap->count = 256 - cmap->index; /* first copy the colors into kernelspace */ diff --git a/sys/arch/amiga/dev/grf_et.c b/sys/arch/amiga/dev/grf_et.c index 50654eb92a9c..a06b67d627ad 100644 --- a/sys/arch/amiga/dev/grf_et.c +++ b/sys/arch/amiga/dev/grf_et.c @@ -1,4 +1,4 @@ -/* $NetBSD: grf_et.c,v 1.15 2002/03/17 19:40:29 atatat Exp $ */ +/* $NetBSD: grf_et.c,v 1.16 2002/08/03 00:12:55 itojun Exp $ */ /* * Copyright (c) 1997 Klaus Burkert @@ -37,7 +37,7 @@ #include "opt_amigacons.h" #include -__KERNEL_RCSID(0, "$NetBSD: grf_et.c,v 1.15 2002/03/17 19:40:29 atatat Exp $"); +__KERNEL_RCSID(0, "$NetBSD: grf_et.c,v 1.16 2002/08/03 00:12:55 itojun Exp $"); #include "grfet.h" #if NGRFET > 0 @@ -834,7 +834,7 @@ et_getcmap(struct grf_softc *gfp, struct grf_colormap *cmap) if (cmap->count == 0 || cmap->index >= 256) return 0; - if (cmap->index + cmap->count > 256) + if (cmap->count > 256 - cmap->index) cmap->count = 256 - cmap->index; ba = gfp->g_regkva; @@ -885,7 +885,7 @@ et_putcmap(struct grf_softc *gfp, struct grf_colormap *cmap) if (cmap->count == 0 || cmap->index >= 256) return (0); - if (cmap->index + cmap->count > 256) + if (cmap->count > 256 - cmap->index) cmap->count = 256 - cmap->index; /* first copy the colors into kernelspace */ diff --git a/sys/arch/amiga/dev/grf_rh.c b/sys/arch/amiga/dev/grf_rh.c index bc6118d765ee..16ed37711488 100644 --- a/sys/arch/amiga/dev/grf_rh.c +++ b/sys/arch/amiga/dev/grf_rh.c @@ -1,4 +1,4 @@ -/* $NetBSD: grf_rh.c,v 1.35 2002/03/17 19:40:29 atatat Exp $ */ +/* $NetBSD: grf_rh.c,v 1.36 2002/08/03 00:12:55 itojun Exp $ */ /* * Copyright (c) 1994 Markus Wild @@ -34,7 +34,7 @@ #include "opt_retina.h" #include -__KERNEL_RCSID(0, "$NetBSD: grf_rh.c,v 1.35 2002/03/17 19:40:29 atatat Exp $"); +__KERNEL_RCSID(0, "$NetBSD: grf_rh.c,v 1.36 2002/08/03 00:12:55 itojun Exp $"); #include "grfrh.h" #if NGRFRH > 0 @@ -1803,7 +1803,7 @@ rh_getcmap(struct grf_softc *gfp, struct grf_colormap *cmap) if (cmap->count == 0 || cmap->index >= 256) return 0; - if (cmap->index + cmap->count > 256) + if (cmap->count > 256 - cmap->index) cmap->count = 256 - cmap->index; ba = gfp->g_regkva; @@ -1838,7 +1838,7 @@ rh_putcmap(struct grf_softc *gfp, struct grf_colormap *cmap) if (cmap->count == 0 || cmap->index >= 256) return(0); - if (cmap->index + cmap->count > 256) + if (cmap->count > 256 - cmap->index) cmap->count = 256 - cmap->index; /* first copy the colors into kernelspace */ diff --git a/sys/arch/amiga/dev/grf_rt.c b/sys/arch/amiga/dev/grf_rt.c index 525e6f135281..c356f8b87fd4 100644 --- a/sys/arch/amiga/dev/grf_rt.c +++ b/sys/arch/amiga/dev/grf_rt.c @@ -1,4 +1,4 @@ -/* $NetBSD: grf_rt.c,v 1.42 2002/03/17 19:40:30 atatat Exp $ */ +/* $NetBSD: grf_rt.c,v 1.43 2002/08/03 00:12:56 itojun Exp $ */ /* * Copyright (c) 1993 Markus Wild @@ -33,7 +33,7 @@ #include "opt_amigacons.h" #include -__KERNEL_RCSID(0, "$NetBSD: grf_rt.c,v 1.42 2002/03/17 19:40:30 atatat Exp $"); +__KERNEL_RCSID(0, "$NetBSD: grf_rt.c,v 1.43 2002/08/03 00:12:56 itojun Exp $"); #include "grfrt.h" #if NGRFRT > 0 @@ -1128,7 +1128,7 @@ rt_getcmap(struct grf_softc *gfp, struct grf_colormap *cmap) if (cmap->count == 0 || cmap->index >= 256) return (0); - if (cmap->index + cmap->count > 256) + if (cmap->count > 256 - cmap->index) cmap->count = 256 - cmap->index; ba = gfp->g_regkva; @@ -1164,7 +1164,7 @@ rt_putcmap(struct grf_softc *gfp, struct grf_colormap *cmap) if (cmap->count == 0 || cmap->index >= 256) return 0; - if (cmap->index + cmap->count > 256) + if (cmap->count > 256 - cmap->index) cmap->count = 256 - cmap->index; /* first copy the colors into kernelspace */ diff --git a/sys/arch/amiga/dev/grf_ul.c b/sys/arch/amiga/dev/grf_ul.c index df48e482d079..e971cbba3724 100644 --- a/sys/arch/amiga/dev/grf_ul.c +++ b/sys/arch/amiga/dev/grf_ul.c @@ -1,4 +1,4 @@ -/* $NetBSD: grf_ul.c,v 1.31 2002/03/17 19:40:30 atatat Exp $ */ +/* $NetBSD: grf_ul.c,v 1.32 2002/08/03 00:12:57 itojun Exp $ */ #define UL_DEBUG /*- @@ -40,7 +40,7 @@ #include "opt_amigacons.h" #include -__KERNEL_RCSID(0, "$NetBSD: grf_ul.c,v 1.31 2002/03/17 19:40:30 atatat Exp $"); +__KERNEL_RCSID(0, "$NetBSD: grf_ul.c,v 1.32 2002/08/03 00:12:57 itojun Exp $"); #include "grful.h" #if NGRFUL > 0 @@ -798,7 +798,7 @@ ul_getcmap (gp, cmap, dev) if (cmap->count == 0 || cmap->index >= mxidx) return 0; - if (cmap->index + cmap->count > mxidx) + if (cmap->count > mxidx - cmap->index) cmap->count = mxidx - cmap->index; /* just copyout from the shadow color map */ @@ -841,7 +841,7 @@ ul_putcmap (gp, cmap, dev) if (cmap->count == 0 || cmap->index >= mxidx) return 0; - if (cmap->index + cmap->count > mxidx) + if (cmap->count > mxidx - cmap->index) cmap->count = mxidx - cmap->index; /* first copyin to our shadow color map */ diff --git a/sys/arch/amiga/dev/view.c b/sys/arch/amiga/dev/view.c index 3ebb89b0e22a..88a6138e7695 100644 --- a/sys/arch/amiga/dev/view.c +++ b/sys/arch/amiga/dev/view.c @@ -1,4 +1,4 @@ -/* $NetBSD: view.c,v 1.20 2002/03/17 19:40:32 atatat Exp $ */ +/* $NetBSD: view.c,v 1.21 2002/08/03 00:12:58 itojun Exp $ */ /* * Copyright (c) 1994 Christian E. Hopps @@ -38,7 +38,7 @@ * a interface to graphics. */ #include -__KERNEL_RCSID(0, "$NetBSD: view.c,v 1.20 2002/03/17 19:40:32 atatat Exp $"); +__KERNEL_RCSID(0, "$NetBSD: view.c,v 1.21 2002/08/03 00:12:58 itojun Exp $"); #include #include @@ -334,6 +334,8 @@ view_get_colormap(struct view_softc *vu, colormap_t *ucm) u_long *uep; /* add one incase of zero, ick. */ + if (ucm->size + 1 > SIZE_T_MAX / sizeof(u_long)) + return EINVAL; cme = malloc(sizeof (u_long)*(ucm->size + 1), M_IOCTLOPS, M_WAITOK); if (cme == NULL) return(ENOMEM); diff --git a/sys/arch/hp300/hp300/hpux_machdep.c b/sys/arch/hp300/hp300/hpux_machdep.c index 18dfd326b4d7..03a44b2e0986 100644 --- a/sys/arch/hp300/hp300/hpux_machdep.c +++ b/sys/arch/hp300/hp300/hpux_machdep.c @@ -1,4 +1,4 @@ -/* $NetBSD: hpux_machdep.c,v 1.29 2002/07/04 23:32:03 thorpej Exp $ */ +/* $NetBSD: hpux_machdep.c,v 1.30 2002/08/03 00:12:58 itojun Exp $ */ /*- * Copyright (c) 1996, 1997, 1998 The NetBSD Foundation, Inc. @@ -78,7 +78,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: hpux_machdep.c,v 1.29 2002/07/04 23:32:03 thorpej Exp $"); +__KERNEL_RCSID(0, "$NetBSD: hpux_machdep.c,v 1.30 2002/08/03 00:12:58 itojun Exp $"); #include #include @@ -280,6 +280,9 @@ hpux_sys_getcontext(p, v, retval) int l, i, error = 0; int len; + if (SCARG(uap, len) <= 0) + return (EINVAL); + for (i = 0; context_table[i].str != NULL; i++) if (context_table[i].val == fputype) break; diff --git a/sys/arch/i386/i386/sys_machdep.c b/sys/arch/i386/i386/sys_machdep.c index 6cf6e559eae6..1dbea3ffc0bd 100644 --- a/sys/arch/i386/i386/sys_machdep.c +++ b/sys/arch/i386/i386/sys_machdep.c @@ -1,4 +1,4 @@ -/* $NetBSD: sys_machdep.c,v 1.62 2002/03/22 18:41:40 christos Exp $ */ +/* $NetBSD: sys_machdep.c,v 1.63 2002/08/03 00:12:48 itojun Exp $ */ /*- * Copyright (c) 1998 The NetBSD Foundation, Inc. @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: sys_machdep.c,v 1.62 2002/03/22 18:41:40 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: sys_machdep.c,v 1.63 2002/08/03 00:12:48 itojun Exp $"); #include "opt_vm86.h" #include "opt_user_ldt.h" @@ -123,7 +123,8 @@ i386_get_ldt(p, args, retval) ua.num, ua.desc); #endif - if (ua.start < 0 || ua.num < 0) + if (ua.start < 0 || ua.num < 0 || ua.start > 8192 || ua.num > 8192 || + ua.start + ua.num > 8192) return (EINVAL); /* diff --git a/sys/arch/sparc/dev/cgfourteen.c b/sys/arch/sparc/dev/cgfourteen.c index ce9593012900..ad9102ea23eb 100644 --- a/sys/arch/sparc/dev/cgfourteen.c +++ b/sys/arch/sparc/dev/cgfourteen.c @@ -1,4 +1,4 @@ -/* $NetBSD: cgfourteen.c,v 1.23 2002/04/03 16:34:11 darrenr Exp $ */ +/* $NetBSD: cgfourteen.c,v 1.24 2002/08/03 00:12:59 itojun Exp $ */ /* * Copyright (c) 1996 @@ -747,68 +747,68 @@ cg14_get_cmap(p, cm, cmsize) union cg14cmap *cm; int cmsize; { - u_int i, start, count; - u_char *cp; + u_int i, start, count; + u_char *cp; - start = p->index; - count = p->count; - if (start >= cmsize || start + count > cmsize) + start = p->index; + count = p->count; + if (start >= cmsize || count > cmsize - start) #ifdef DEBUG { printf("putcmaperror: start %d cmsize %d count %d\n", start,cmsize,count); #endif - return (EINVAL); + return (EINVAL); #ifdef DEBUG } #endif - if (!uvm_useracc(p->red, count, B_WRITE) || - !uvm_useracc(p->green, count, B_WRITE) || - !uvm_useracc(p->blue, count, B_WRITE)) - return (EFAULT); - for (cp = &cm->cm_map[start][0], i = 0; i < count; cp += 4, i++) { - p->red[i] = cp[3]; - p->green[i] = cp[2]; - p->blue[i] = cp[1]; - } - return (0); + if (!uvm_useracc(p->red, count, B_WRITE) || + !uvm_useracc(p->green, count, B_WRITE) || + !uvm_useracc(p->blue, count, B_WRITE)) + return (EFAULT); + for (cp = &cm->cm_map[start][0], i = 0; i < count; cp += 4, i++) { + p->red[i] = cp[3]; + p->green[i] = cp[2]; + p->blue[i] = cp[1]; + } + return (0); } /* Write the software shadow colormap */ static int cg14_put_cmap(p, cm, cmsize) - struct fbcmap *p; - union cg14cmap *cm; - int cmsize; + struct fbcmap *p; + union cg14cmap *cm; + int cmsize; { - u_int i, start, count; - u_char *cp; + u_int i, start, count; + u_char *cp; - start = p->index; - count = p->count; - if (start >= cmsize || start + count > cmsize) + start = p->index; + count = p->count; + if (start >= cmsize || count > cmsize - start) #ifdef DEBUG { printf("putcmaperror: start %d cmsize %d count %d\n", start,cmsize,count); #endif - return (EINVAL); + return (EINVAL); #ifdef DEBUG } #endif - if (!uvm_useracc(p->red, count, B_READ) || - !uvm_useracc(p->green, count, B_READ) || - !uvm_useracc(p->blue, count, B_READ)) - return (EFAULT); - for (cp = &cm->cm_map[start][0], i = 0; i < count; cp += 4, i++) { - cp[3] = p->red[i]; - cp[2] = p->green[i]; - cp[1] = p->blue[i]; + if (!uvm_useracc(p->red, count, B_READ) || + !uvm_useracc(p->green, count, B_READ) || + !uvm_useracc(p->blue, count, B_READ)) + return (EFAULT); + for (cp = &cm->cm_map[start][0], i = 0; i < count; cp += 4, i++) { + cp[3] = p->red[i]; + cp[2] = p->green[i]; + cp[1] = p->blue[i]; cp[0] = 0; /* no alpha channel */ - } - return (0); + } + return (0); } static void diff --git a/sys/arch/sparc/dev/cgtwo.c b/sys/arch/sparc/dev/cgtwo.c index 553afe552634..a45b55af99c4 100644 --- a/sys/arch/sparc/dev/cgtwo.c +++ b/sys/arch/sparc/dev/cgtwo.c @@ -1,4 +1,4 @@ -/* $NetBSD: cgtwo.c,v 1.35 2001/08/05 18:07:53 jdolecek Exp $ */ +/* $NetBSD: cgtwo.c,v 1.36 2002/08/03 00:13:00 itojun Exp $ */ /* * Copyright (c) 1992, 1993 @@ -328,7 +328,7 @@ cgtwogetcmap(sc, cmap) start = cmap->index; count = cmap->count; ecount = start + count; - if (start >= CG2_CMSIZE || ecount > CG2_CMSIZE) + if (start >= CG2_CMSIZE || count > CG2_CMSIZE - start) return (EINVAL); /* XXX - Wait for retrace? */ @@ -371,7 +371,7 @@ cgtwoputcmap(sc, cmap) start = cmap->index; count = cmap->count; ecount = start + count; - if (start >= CG2_CMSIZE || ecount > CG2_CMSIZE) + if (start >= CG2_CMSIZE || count > CG2_CMSIZE - start) return (EINVAL); /* Copy from user space to local arrays. */ diff --git a/sys/arch/sun3/dev/bt_subr.c b/sys/arch/sun3/dev/bt_subr.c index 0c2b7ca1de93..8e493d705619 100644 --- a/sys/arch/sun3/dev/bt_subr.c +++ b/sys/arch/sun3/dev/bt_subr.c @@ -1,4 +1,4 @@ -/* $NetBSD: bt_subr.c,v 1.4 2001/09/19 18:10:34 thorpej Exp $ */ +/* $NetBSD: bt_subr.c,v 1.5 2002/08/03 00:13:00 itojun Exp $ */ /* * Copyright (c) 1993 @@ -73,7 +73,7 @@ bt_getcmap(p, cm, cmsize) start = p->index; count = p->count; - if (start >= cmsize || start + count > cmsize) + if (start >= cmsize || count > cmsize - start) return (EINVAL); if (!useracc(p->red, count, B_WRITE) || !useracc(p->green, count, B_WRITE) || @@ -101,7 +101,7 @@ bt_putcmap(p, cm, cmsize) start = p->index; count = p->count; - if (start >= cmsize || start + count > cmsize) + if (start >= cmsize || count > cmsize - start) return (EINVAL); if (!useracc(p->red, count, B_READ) || !useracc(p->green, count, B_READ) || diff --git a/sys/arch/sun3/dev/cg2.c b/sys/arch/sun3/dev/cg2.c index 84f618de44a5..a6448f6bafed 100644 --- a/sys/arch/sun3/dev/cg2.c +++ b/sys/arch/sun3/dev/cg2.c @@ -1,4 +1,4 @@ -/* $NetBSD: cg2.c,v 1.16 2001/09/19 18:10:34 thorpej Exp $ */ +/* $NetBSD: cg2.c,v 1.17 2002/08/03 00:13:01 itojun Exp $ */ /* * Copyright (c) 1992, 1993 @@ -317,7 +317,7 @@ static int cg2getcmap(fb, data) start = cmap->index; count = cmap->count; ecount = start + count; - if (start >= CMSIZE || ecount > CMSIZE) + if (start >= CMSIZE || count > CMSIZE - start) return (EINVAL); /* XXX - Wait for retrace? */ @@ -360,7 +360,7 @@ static int cg2putcmap(fb, data) start = cmap->index; count = cmap->count; ecount = start + count; - if (start >= CMSIZE || ecount > CMSIZE) + if (start >= CMSIZE || count > CMSIZE - start) return (EINVAL); /* Copy from user space to local arrays. */ diff --git a/sys/arch/sun3/dev/cg4.c b/sys/arch/sun3/dev/cg4.c index 059ec88af52a..d181f5ea9ded 100644 --- a/sys/arch/sun3/dev/cg4.c +++ b/sys/arch/sun3/dev/cg4.c @@ -1,4 +1,4 @@ -/* $NetBSD: cg4.c,v 1.23 2001/09/19 18:10:34 thorpej Exp $ */ +/* $NetBSD: cg4.c,v 1.24 2002/08/03 00:13:01 itojun Exp $ */ /* * Copyright (c) 1992, 1993 @@ -468,12 +468,12 @@ static int cg4getcmap(fb, data) struct cg4_softc *sc = fb->fb_private; struct soft_cmap *cm = &sc->sc_cmap; struct fbcmap *fbcm = data; - int error, start, count; + u_int start, count; + int error; start = fbcm->index; count = fbcm->count; - if ((start < 0) || (start >= CMAP_SIZE) || - (count < 0) || (start + count > CMAP_SIZE) ) + if (start >= CMAP_SIZE || count > CMAP_SIZE - start) return (EINVAL); if ((error = copyout(&cm->r[start], fbcm->red, count)) != 0) @@ -499,12 +499,12 @@ static int cg4putcmap(fb, data) struct cg4_softc *sc = fb->fb_private; struct soft_cmap *cm = &sc->sc_cmap; struct fbcmap *fbcm = data; - int error, start, count; + u_int start, count; + int error; start = fbcm->index; count = fbcm->count; - if ((start < 0) || (start >= CMAP_SIZE) || - (count < 0) || (start + count > CMAP_SIZE) ) + if (start >= CMAP_SIZE || count > CMAP_SIZE - start) return (EINVAL); if ((error = copyin(fbcm->red, &cm->r[start], count)) != 0) diff --git a/sys/compat/hpux/hpux_compat.c b/sys/compat/hpux/hpux_compat.c index c46216947554..f52374889dda 100644 --- a/sys/compat/hpux/hpux_compat.c +++ b/sys/compat/hpux/hpux_compat.c @@ -1,4 +1,4 @@ -/* $NetBSD: hpux_compat.c,v 1.59 2002/03/16 20:43:50 christos Exp $ */ +/* $NetBSD: hpux_compat.c,v 1.60 2002/08/03 00:12:51 itojun Exp $ */ /* * Copyright (c) 1988 University of Utah. @@ -47,7 +47,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: hpux_compat.c,v 1.59 2002/03/16 20:43:50 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: hpux_compat.c,v 1.60 2002/08/03 00:12:51 itojun Exp $"); #if defined(_KERNEL_OPT) #include "opt_sysv.h" @@ -402,10 +402,13 @@ hpux_sys_utssys(p, v, retval) /* gethostname */ case 5: /* SCARG(uap, dev) is length */ - if (SCARG(uap, dev) > hostnamelen + 1) - SCARG(uap, dev) = hostnamelen + 1; - error = copyout((caddr_t)hostname, (caddr_t)SCARG(uap, uts), - SCARG(uap, dev)); + i = SCARG(uap, dev); + if (i < 0) { + error = EINVAL; + break; + } else if (i > hostnamelen + 1) + i = hostnamelen + 1; + error = copyout((caddr_t)hostname, (caddr_t)SCARG(uap, uts), i); break; case 1: /* ?? */ diff --git a/sys/compat/ibcs2/ibcs2_stat.c b/sys/compat/ibcs2/ibcs2_stat.c index acc6a4459e24..fe9ac5ae617a 100644 --- a/sys/compat/ibcs2/ibcs2_stat.c +++ b/sys/compat/ibcs2/ibcs2_stat.c @@ -1,4 +1,4 @@ -/* $NetBSD: ibcs2_stat.c,v 1.19 2002/03/16 20:43:51 christos Exp $ */ +/* $NetBSD: ibcs2_stat.c,v 1.20 2002/08/03 00:12:52 itojun Exp $ */ /* * Copyright (c) 1995, 1998 Scott Bartram * All rights reserved. @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.19 2002/03/16 20:43:51 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.20 2002/08/03 00:12:52 itojun Exp $"); #include #include @@ -87,6 +87,11 @@ cvt_statfs(sp, buf, len) { struct ibcs2_statfs ssfs; + if (len < 0) + return (EINVAL); + if (len > sizeof(ssfs)); + len = sizeof(ssfs); + memset(&ssfs, 0, sizeof ssfs); ssfs.f_fstyp = 0; ssfs.f_bsize = sp->f_bsize; diff --git a/sys/dev/ic/bt463.c b/sys/dev/ic/bt463.c index f07013b607db..8573c9214bd6 100644 --- a/sys/dev/ic/bt463.c +++ b/sys/dev/ic/bt463.c @@ -1,4 +1,4 @@ -/* $NetBSD: bt463.c,v 1.7 2001/12/12 07:47:46 elric Exp $ */ +/* $NetBSD: bt463.c,v 1.8 2002/08/03 00:13:02 itojun Exp $ */ /*- * Copyright (c) 1998 The NetBSD Foundation, Inc. @@ -69,7 +69,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: bt463.c,v 1.7 2001/12/12 07:47:46 elric Exp $"); +__KERNEL_RCSID(0, "$NetBSD: bt463.c,v 1.8 2002/08/03 00:13:02 itojun Exp $"); #include #include @@ -369,7 +369,7 @@ bt463_set_cmap(rc, cmapp) int s; if (cmapp->index >= BT463_NCMAP_ENTRIES || - (cmapp->index + cmapp->count) > BT463_NCMAP_ENTRIES) + cmapp->count > BT463_NCMAP_ENTRIES - cmapp->index) return (EINVAL); if (!uvm_useracc(cmapp->red, cmapp->count, B_READ) || !uvm_useracc(cmapp->green, cmapp->count, B_READ) || @@ -398,10 +398,11 @@ bt463_get_cmap(rc, cmapp) struct wsdisplay_cmap *cmapp; { struct bt463data *data = (struct bt463data *)rc; - int error, count, index; + u_int count, index; + int error; - if ((u_int)cmapp->index >= BT463_NCMAP_ENTRIES || - ((u_int)cmapp->index + (u_int)cmapp->count) > BT463_NCMAP_ENTRIES) + if (cmapp->index >= BT463_NCMAP_ENTRIES || + cmapp->count > BT463_NCMAP_ENTRIES - cmapp->index) return (EINVAL); count = cmapp->count; diff --git a/sys/dev/ic/bt485.c b/sys/dev/ic/bt485.c index 934b6dbe0236..904e412e549f 100644 --- a/sys/dev/ic/bt485.c +++ b/sys/dev/ic/bt485.c @@ -1,4 +1,4 @@ -/* $NetBSD: bt485.c,v 1.8 2001/12/12 07:47:46 elric Exp $ */ +/* $NetBSD: bt485.c,v 1.9 2002/08/03 00:13:03 itojun Exp $ */ /* * Copyright (c) 1995, 1996 Carnegie-Mellon University. @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: bt485.c,v 1.8 2001/12/12 07:47:46 elric Exp $"); +__KERNEL_RCSID(0, "$NetBSD: bt485.c,v 1.9 2002/08/03 00:13:03 itojun Exp $"); #include #include @@ -266,7 +266,7 @@ bt485_set_cmap(rc, cmapp) u_int count, index; int s; - if (cmapp->index >= 256 || (cmapp->index + cmapp->count) > 256) + if (cmapp->index >= 256 || cmapp->count > 256 - cmapp->index) return (EINVAL); if (!uvm_useracc(cmapp->red, cmapp->count, B_READ) || !uvm_useracc(cmapp->green, cmapp->count, B_READ) || @@ -295,10 +295,10 @@ bt485_get_cmap(rc, cmapp) struct wsdisplay_cmap *cmapp; { struct bt485data *data = (struct bt485data *)rc; - int error, count, index; + u_int count, index; + int error; - if ((u_int)cmapp->index >= 256 || - ((u_int)cmapp->index + (u_int)cmapp->count) > 256) + if (cmapp->index >= 256 || cmapp->count > 256 - cmapp->index ) return (EINVAL); count = cmapp->count; diff --git a/sys/dev/ic/ibm561.c b/sys/dev/ic/ibm561.c index f4143cc73b3b..84cf3e201270 100644 --- a/sys/dev/ic/ibm561.c +++ b/sys/dev/ic/ibm561.c @@ -1,4 +1,4 @@ -/* $NetBSD: ibm561.c,v 1.2 2002/01/12 16:03:12 tsutsui Exp $ */ +/* $NetBSD: ibm561.c,v 1.3 2002/08/03 00:13:03 itojun Exp $ */ /*- * Copyright (c) 2001 The NetBSD Foundation, Inc. @@ -273,12 +273,11 @@ ibm561_set_cmap(rc, cmapp) struct wsdisplay_cmap *cmapp; { struct ibm561data *data = (struct ibm561data *)rc; - int count; - int index; + u_int count, index; int s; - if ((u_int)cmapp->index >= IBM561_NCMAP_ENTRIES || - ((u_int)cmapp->index + (u_int)cmapp->count) > IBM561_NCMAP_ENTRIES) + if (cmapp->index >= IBM561_NCMAP_ENTRIES || + cmapp->count > IBM561_NCMAP_ENTRIES - cmapp->index) return (EINVAL); if (!uvm_useracc(cmapp->red, cmapp->count, B_READ) || !uvm_useracc(cmapp->green, cmapp->count, B_READ) || @@ -303,12 +302,11 @@ ibm561_get_cmap(rc, cmapp) struct wsdisplay_cmap *cmapp; { struct ibm561data *data = (struct ibm561data *)rc; + u_int count, index; int error; - int count; - int index; - if ((u_int)cmapp->index >= IBM561_NCMAP_ENTRIES || - ((u_int)cmapp->index + (u_int)cmapp->count) > IBM561_NCMAP_ENTRIES) + if (cmapp->index >= IBM561_NCMAP_ENTRIES || + cmapp->count > IBM561_NCMAP_ENTRIES - cmapp->index) return (EINVAL); count = cmapp->count; index = cmapp->index; diff --git a/sys/dev/ic/igsfb.c b/sys/dev/ic/igsfb.c index 3a7faa24f863..1312f0d0e849 100644 --- a/sys/dev/ic/igsfb.c +++ b/sys/dev/ic/igsfb.c @@ -1,4 +1,4 @@ -/* $NetBSD: igsfb.c,v 1.4 2002/07/21 02:56:35 uwe Exp $ */ +/* $NetBSD: igsfb.c,v 1.5 2002/08/03 00:13:03 itojun Exp $ */ /* * Copyright (c) 2002 Valeriy E. Ushakov @@ -32,7 +32,7 @@ * Only tested on IGA 1682 in Krups JavaStation-NC. */ #include -__KERNEL_RCSID(0, "$NetBSD: igsfb.c,v 1.4 2002/07/21 02:56:35 uwe Exp $"); +__KERNEL_RCSID(0, "$NetBSD: igsfb.c,v 1.5 2002/08/03 00:13:03 itojun Exp $"); #include #include @@ -597,7 +597,7 @@ igsfb_get_cmap(sc, p) { u_int index = p->index, count = p->count; - if (index >= IGS_CMAP_SIZE || (index + count) > IGS_CMAP_SIZE) + if (index >= IGS_CMAP_SIZE || count > IGS_CMAP_SIZE - index) return (EINVAL); if (!uvm_useracc(p->red, count, B_WRITE) || @@ -624,7 +624,7 @@ igsfb_set_cmap(sc, p) { u_int index = p->index, count = p->count; - if (index >= IGS_CMAP_SIZE || (index + count) > IGS_CMAP_SIZE) + if (index >= IGS_CMAP_SIZE || count > IGS_CMAP_SIZE - index) return (EINVAL); if (!uvm_useracc(p->red, count, B_READ) || diff --git a/sys/ufs/lfs/lfs_syscalls.c b/sys/ufs/lfs/lfs_syscalls.c index 3a3fb1fac7bb..c5064ca17cbc 100644 --- a/sys/ufs/lfs/lfs_syscalls.c +++ b/sys/ufs/lfs/lfs_syscalls.c @@ -1,4 +1,4 @@ -/* $NetBSD: lfs_syscalls.c,v 1.70 2002/07/07 14:29:06 briggs Exp $ */ +/* $NetBSD: lfs_syscalls.c,v 1.71 2002/08/03 00:12:49 itojun Exp $ */ /*- * Copyright (c) 1999, 2000 The NetBSD Foundation, Inc. @@ -71,7 +71,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: lfs_syscalls.c,v 1.70 2002/07/07 14:29:06 briggs Exp $"); +__KERNEL_RCSID(0, "$NetBSD: lfs_syscalls.c,v 1.71 2002/08/03 00:12:49 itojun Exp $"); #define LFS /* for prototypes in syscallargs.h */ @@ -617,6 +617,8 @@ sys_lfs_bmapv(struct proc *p, void *v, register_t *retval) return (error); blkcnt = SCARG(uap, blkcnt); + if ((u_int) blkcnt > SIZE_T_MAX / sizeof(BLOCK_INFO)) + return (EINVAL); blkiov = malloc(blkcnt * sizeof(BLOCK_INFO), M_SEGMENT, M_WAITOK); if ((error = copyin(SCARG(uap, blkiov), blkiov, blkcnt * sizeof(BLOCK_INFO))) != 0) @@ -650,6 +652,8 @@ sys_lfs_bmapv(struct proc *p, void *v, register_t *retval) return (error); blkcnt = SCARG(uap, blkcnt); + if ((u_int) blkcnt > SIZE_T_MAX / sizeof(BLOCK_INFO)) + return (EINVAL); blkiov = malloc(blkcnt * sizeof(BLOCK_INFO), M_SEGMENT, M_WAITOK); blkiov15 = malloc(blkcnt * sizeof(BLOCK_INFO_15), M_SEGMENT, M_WAITOK); if ((error = copyin(SCARG(uap, blkiov), blkiov15,