Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/coda When validating the mount device string make sure i...
details: https://anonhg.NetBSD.org/src/rev/72e626ceb2c3
branches: trunk
changeset: 1016407:72e626ceb2c3
user: hannken <hannken%NetBSD.org@localhost>
date: Fri Nov 20 10:08:47 2020 +0000
description:
When validating the mount device string make sure its length
is below *data_len and below PATH_MAX.
Reported-by: syzbot+2d3af801141509cc858c%syzkaller.appspotmail.com@localhost
diffstat:
sys/coda/coda_vfsops.c | 10 +++++++---
1 files changed, 7 insertions(+), 3 deletions(-)
diffs (31 lines):
diff -r cd9813ebc47a -r 72e626ceb2c3 sys/coda/coda_vfsops.c
--- a/sys/coda/coda_vfsops.c Fri Nov 20 01:29:46 2020 +0000
+++ b/sys/coda/coda_vfsops.c Fri Nov 20 10:08:47 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: coda_vfsops.c,v 1.88 2020/11/14 11:41:29 hannken Exp $ */
+/* $NetBSD: coda_vfsops.c,v 1.89 2020/11/20 10:08:47 hannken Exp $ */
/*
*
@@ -45,7 +45,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: coda_vfsops.c,v 1.88 2020/11/14 11:41:29 hannken Exp $");
+__KERNEL_RCSID(0, "$NetBSD: coda_vfsops.c,v 1.89 2020/11/20 10:08:47 hannken Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -197,7 +197,11 @@
* fixed default size for the filename buffer.
*/
/* Ensure that namei() doesn't run off the filename buffer */
- ((char *)data)[*data_len - 1] = 0;
+ if (*data_len < 1 || *data_len > PATH_MAX ||
+ strnlen(data, *data_len) >= *data_len) {
+ MARK_INT_FAIL(CODA_MOUNT_STATS);
+ return EINVAL;
+ }
error = namei_simple_kernel((char *)data, NSM_FOLLOW_NOEMULROOT,
&dvp);
Home |
Main Index |
Thread Index |
Old Index