[src/trunk]: src/sys/miscfs/kernfs Don't allow negative offsets when reading ...

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/3cb65afd36f4
branches:  trunk
changeset: 583951:3cb65afd36f4
user:      christos <christos%NetBSD.org@localhost>
date:      Wed Aug 31 09:54:54 2005 +0000

description:
Don't allow negative offsets when reading the message buffer, because it
can allow reading arbitrary kernel memory.

diffstat:

 sys/miscfs/kernfs/kernfs_vnops.c |  8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diffs (29 lines):

diff -r e34e0afca7d1 -r 3cb65afd36f4 sys/miscfs/kernfs/kernfs_vnops.c
--- a/sys/miscfs/kernfs/kernfs_vnops.c  Wed Aug 31 07:07:29 2005 +0000
+++ b/sys/miscfs/kernfs/kernfs_vnops.c  Wed Aug 31 09:54:54 2005 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: kernfs_vnops.c,v 1.110 2005/08/30 20:08:01 xtraeme Exp $       */
+/*     $NetBSD: kernfs_vnops.c,v 1.111 2005/08/31 09:54:54 christos Exp $      */
 
 /*
  * Copyright (c) 1992, 1993
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kernfs_vnops.c,v 1.110 2005/08/30 20:08:01 xtraeme Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kernfs_vnops.c,v 1.111 2005/08/31 09:54:54 christos Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_ipsec.h"
@@ -427,6 +427,10 @@
                 * message buffer header are corrupted, but that'll cause
                 * the system to die anyway.
                 */
+               if (off < 0) {
+                       *wrlen = 0;
+                       return EINVAL;
+               }
                if (off >= msgbufp->msg_bufs) {
                        *wrlen = 0;
                        return (0);