[src/trunk]: src/sys bound check mount args more thoroughly

[jdolecek <jdolecek%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/1463b16c3bc1
branches:  trunk
changeset: 513542:1463b16c3bc1
user:      jdolecek <jdolecek%NetBSD.org@localhost>
date:      Fri Aug 03 06:00:13 2001 +0000

description:
bound check mount args more thoroughly

diffstat:

 sys/kern/vfs_subr.c             |  6 +++++-
 sys/miscfs/umapfs/umap_vfsops.c |  7 ++++++-
 sys/nfs/nfs.h                   |  6 +++---
 3 files changed, 14 insertions(+), 5 deletions(-)

diffs (62 lines):

diff -r bf29ae3b67b5 -r 1463b16c3bc1 sys/kern/vfs_subr.c
--- a/sys/kern/vfs_subr.c       Fri Aug 03 05:58:18 2001 +0000
+++ b/sys/kern/vfs_subr.c       Fri Aug 03 06:00:13 2001 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: vfs_subr.c,v 1.155 2001/07/08 10:32:38 jdolecek Exp $  */
+/*     $NetBSD: vfs_subr.c,v 1.156 2001/08/03 06:00:13 jdolecek Exp $  */
 
 /*-
  * Copyright (c) 1997, 1998 The NetBSD Foundation, Inc.
@@ -2093,6 +2093,10 @@
                mp->mnt_flag |= MNT_DEFEXPORTED;
                return (0);
        }
+
+       if (argp->ex_addrlen > MLEN)
+               return (EINVAL);
+
        i = sizeof(struct netcred) + argp->ex_addrlen + argp->ex_masklen;
        np = (struct netcred *)malloc(i, M_NETADDR, M_WAITOK);
        memset((caddr_t)np, 0, i);
diff -r bf29ae3b67b5 -r 1463b16c3bc1 sys/miscfs/umapfs/umap_vfsops.c
--- a/sys/miscfs/umapfs/umap_vfsops.c   Fri Aug 03 05:58:18 2001 +0000
+++ b/sys/miscfs/umapfs/umap_vfsops.c   Fri Aug 03 06:00:13 2001 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: umap_vfsops.c,v 1.28 2001/08/02 22:40:59 assar Exp $   */
+/*     $NetBSD: umap_vfsops.c,v 1.29 2001/08/03 06:00:13 jdolecek Exp $        */
 
 /*
  * Copyright (c) 1992, 1993
@@ -144,6 +144,11 @@
        /* 
         * Now copy in the number of entries and maps for umap mapping.
         */
+       if (args.nentries > MAPFILEENTRIES || args.gnentries > GMAPFILEENTRIES){
+               vput(lowerrootvp);
+               return (error);
+       }
+
        amp->info_nentries = args.nentries;
        amp->info_gnentries = args.gnentries;
        error = copyin(args.mapdata, (caddr_t)amp->info_mapdata, 
diff -r bf29ae3b67b5 -r 1463b16c3bc1 sys/nfs/nfs.h
--- a/sys/nfs/nfs.h     Fri Aug 03 05:58:18 2001 +0000
+++ b/sys/nfs/nfs.h     Fri Aug 03 06:00:13 2001 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: nfs.h,v 1.29 2001/07/01 02:13:35 gmcgarry Exp $        */
+/*     $NetBSD: nfs.h,v 1.30 2001/08/03 06:00:14 jdolecek Exp $        */
 /*
  * Copyright (c) 1989, 1993, 1995
  *     The Regents of the University of California.  All rights reserved.
@@ -200,9 +200,9 @@
        char            *ncd_dirp;      /* Mount dir path */
        uid_t           ncd_authuid;    /* Effective uid */
        int             ncd_authtype;   /* Type of authenticator */
-       int             ncd_authlen;    /* Length of authenticator string */
+       u_int           ncd_authlen;    /* Length of authenticator string */
        u_char          *ncd_authstr;   /* Authenticator string */
-       int             ncd_verflen;    /* and the verifier */
+       u_int           ncd_verflen;    /* and the verifier */
        u_char          *ncd_verfstr;
        NFSKERBKEY_T    ncd_key;        /* Session key */
 };