Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/dev/scsipi Avoid buffer overflow when copying from bounc...
details: https://anonhg.NetBSD.org/src/rev/0e39134657ac
branches: trunk
changeset: 945336:0e39134657ac
user: mlelstv <mlelstv%NetBSD.org@localhost>
date: Mon Oct 26 11:39:48 2020 +0000
description:
Avoid buffer overflow when copying from bounce buffer.
Fixes PR 54810
Don't use uninitialized pointer in split bounce buffer case and
free a partially allocated bounce buffer on error.
diffstat:
sys/dev/scsipi/cd.c | 10 +++++-----
1 files changed, 5 insertions(+), 5 deletions(-)
diffs (40 lines):
diff -r 5e11d556bbd9 -r 0e39134657ac sys/dev/scsipi/cd.c
--- a/sys/dev/scsipi/cd.c Mon Oct 26 07:37:52 2020 +0000
+++ b/sys/dev/scsipi/cd.c Mon Oct 26 11:39:48 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: cd.c,v 1.348 2020/09/29 03:04:03 msaitoh Exp $ */
+/* $NetBSD: cd.c,v 1.349 2020/10/26 11:39:48 mlelstv Exp $ */
/*-
* Copyright (c) 1998, 2001, 2003, 2004, 2005, 2008 The NetBSD Foundation,
@@ -50,7 +50,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: cd.c,v 1.348 2020/09/29 03:04:03 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: cd.c,v 1.349 2020/10/26 11:39:48 mlelstv Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -667,7 +667,7 @@
cd_iosize(dksc->sc_dev, &count);
bounce->head = skip * DEV_BSIZE;
- bounce->lcount = count - bounce->head;
+ bounce->lcount = imin(count - bounce->head, bp->b_bcount);
bounce->rcount = bp->b_bcount - bounce->lcount;
error = cd_make_bounce_buffer(cd, bp, blkno, count, &lbp, bounce);
@@ -678,10 +678,10 @@
count = total - count;
if (count > 0) {
- bounce->lbp->b_private = bounce;
error = cd_make_bounce_buffer(cd, bp, blkno, count, &rbp, bounce);
if (error) {
- putiobuf(bounce->lbp);
+ free(lbp->b_data, M_DEVBUF);
+ putiobuf(lbp);
goto bad;
}
} else
Home |
Main Index |
Thread Index |
Old Index