Subject: kern/13112: argument check missing in wi_ioctl?
To: None <gnats-bugs@gnats.netbsd.org>
From: None <toshii@netbsd.org>
List: netbsd-bugs
Date: 06/05/2001 10:52:58
>Number: 13112
>Category: kern
>Synopsis: argument check missing in wi_ioctl?
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Jun 04 18:52:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: IWAMOTO Toshihiro
>Release: NetBSD-current
>Organization:
>Environment:
NetBSD/hpcarm
>Description:
It looks like nobody checks wreq.wi_len passed as an ioctl argument.
Passing large value may cause kernel page fault.
>How-To-Repeat:
code inspection.
>Fix:
maybe the following patch.
This patch is not tested yet and other fixes may also be necessary.
It is also possible that this PR is bogus and the patch isn't
needed.
(I'll not likely to have enough time to look in this in a week or so.)
Index: wi.c
===================================================================
RCS file: /cvs/cvsroot/syssrc/sys/dev/ic/wi.c,v
retrieving revision 1.16
diff -u -r1.16 wi.c
--- wi.c 2001/06/04 03:34:47 1.16
+++ wi.c 2001/06/05 01:43:37
@@ -1241,6 +1241,8 @@
} else {
if (sc->sc_enabled == 0)
error = wi_getdef(sc, &wreq);
+ else if (wreq.wi_len > WI_MAX_DATALEN)
+ error = EINVAL;
else if (wi_read_record(sc, (struct wi_ltv_gen *)&wreq))
error = EINVAL;
}
@@ -1261,7 +1263,9 @@
error = wi_mgmt_xmit(sc, (caddr_t)&wreq.wi_val,
wreq.wi_len);
} else {
- if (sc->sc_enabled != 0)
+ if (wreq.wi_len > WI_MAX_DATALEN)
+ error = EINVAL;
+ else if (sc->sc_enabled != 0)
error = wi_write_record(sc,
(struct wi_ltv_gen *)&wreq);
if (error == 0)
>Release-Note:
>Audit-Trail:
>Unformatted: