Searched hist:238077 (Results 1 - 1 of 1) sorted by relevance
| /freebsd-10.2-release/sys/dev/mfi/ | ||
| H A D | mfi.c | diff 238077 Tue Jul 03 16:25:08 MDT 2012 jhb Fix panics triggered by older mfiutil binaries run on the new mfi(4) driver. The new driver changed the size of the mfi_dcmd_frame structure in such a way that a MFI_IOC_PASSTHRU ioctl from an old amd64 binary is treated as an MFI_IOC_PASSTHRU32 ioctl in the new driver. As a result, the user pointer is treated as the buffer length. mfi_user_command() doesn't have a bounds check on the buffer length, so it passes a really big value to malloc() which panics when it tries to exhaust the kmem_map. Fix this two ways: - Only honor MFI_IOC_PASSTHRU32 if the binary has the SV_ILP32 flag set, otherwise treat it as an unknown ioctl. - Add a bounds check on the buffer length passed by the user. For now it fails any user attempts to use a buffer larger than 1MB. While here, fix a few other nits: - Remove an unnecessary check for a NULL return from malloc(M_WAITOK). - Use the ENOTTY errno for invalid ioctl commands instead of ENOENT. MFC after: 3 days |
Completed in 88 milliseconds