From cd12688f17ea6c446983da41ff07e4c3f7d2f6fa Mon Sep 17 00:00:00 2001 From: pooka Date: Thu, 15 Feb 2007 19:50:54 +0000 Subject: [PATCH] Sanity-check linklen returned from file server in READLINK. --- sys/fs/puffs/puffs_vnops.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/sys/fs/puffs/puffs_vnops.c b/sys/fs/puffs/puffs_vnops.c index 190115d13e6d..94437f5a277a 100644 --- a/sys/fs/puffs/puffs_vnops.c +++ b/sys/fs/puffs/puffs_vnops.c @@ -1,4 +1,4 @@ -/* $NetBSD: puffs_vnops.c,v 1.50 2007/02/10 13:12:43 pooka Exp $ */ +/* $NetBSD: puffs_vnops.c,v 1.51 2007/02/15 19:50:54 pooka Exp $ */ /* * Copyright (c) 2005, 2006 Antti Kantee. All Rights Reserved. @@ -33,7 +33,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: puffs_vnops.c,v 1.50 2007/02/10 13:12:43 pooka Exp $"); +__KERNEL_RCSID(0, "$NetBSD: puffs_vnops.c,v 1.51 2007/02/15 19:50:54 pooka Exp $"); #include #include @@ -1217,12 +1217,14 @@ puffs_readlink(void *v) struct uio *a_uio; kauth_cred_t a_cred; } */ *ap = v; + size_t linklen; int error; PUFFS_VNREQ(readlink); puffs_credcvt(&readlink_arg.pvnr_cred, ap->a_cred); - readlink_arg.pvnr_linklen = sizeof(readlink_arg.pvnr_link); + linklen = sizeof(readlink_arg.pvnr_link); + readlink_arg.pvnr_linklen = linklen; error = puffs_vntouser(MPTOPUFFSMP(ap->a_vp->v_mount), PUFFS_VN_READLINK, &readlink_arg, sizeof(readlink_arg), @@ -1230,7 +1232,10 @@ puffs_readlink(void *v) if (error) return error; - readlink_arg.pvnr_link[readlink_arg.pvnr_linklen] = '\0'; + /* bad bad user file server */ + if (readlink_arg.pvnr_linklen > linklen) + return EINVAL; + return uiomove(&readlink_arg.pvnr_link, readlink_arg.pvnr_linklen, ap->a_uio); }