Aren/haiku
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

kernel/vm: Revise overflow checking in user_strlcpy.

Browse Source 
Change-Id: I6a066e7b2c51ff94d80381fcc940565f777209e7
Reviewed-on: https://review.haiku-os.org/c/haiku/+/2376
Reviewed-by: waddlesplash <waddlesplash@gmail.com>
This commit is contained in:
waddlesplash 2020-03-16 21:20:08 -04:00
parent ee8cf35f07
commit 891edac940
1 changed files with 18 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/system/kernel/vm/vm.cpp
View File

@ -5291,10 +5291,26 @@ user_strlcpy(char* to, const char* from, size_t size)
return B_BAD_VALUE;
if (from == NULL)
return B_BAD_ADDRESS;
if (!validate_user_range(to, size) || !validate_user_range(from, size))
// Protect the source address from overflows.
size_t maxSize = size;
if ((addr_t)from + maxSize < (addr_t)from)
maxSize -= (addr_t)from + maxSize;
if (IS_USER_ADDRESS(from) && !IS_USER_ADDRESS((addr_t)from + maxSize))
maxSize = USER_TOP - (addr_t)from;
if (!validate_user_range(to, maxSize))
return B_BAD_ADDRESS;
return arch_cpu_user_strlcpy(to, from, size);
ssize_t result = arch_cpu_user_strlcpy(to, from, maxSize);
if (result < 0)
return result;
// If we hit the address overflow boundary, fail.
if ((size_t)result >= maxSize && maxSize < size)
return B_BAD_ADDRESS;
return result;
}