[src/trunk]: src/sys/fs/ptyfs Overflow if *data_len == OSIZE and args->versio...

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/9dec732628ec
branches:  trunk
changeset: 331553:9dec732628ec
user:      maxv <maxv%NetBSD.org@localhost>
date:      Thu Aug 14 14:06:53 2014 +0000

description:
Overflow if *data_len == OSIZE and args->version >= PTYFS_ARGSVERSION.

Sent on tech-kern@, ok christos@

diffstat:

 sys/fs/ptyfs/ptyfs_vfsops.c |  10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

diffs (31 lines):

diff -r d684a615d24e -r 9dec732628ec sys/fs/ptyfs/ptyfs_vfsops.c
--- a/sys/fs/ptyfs/ptyfs_vfsops.c       Thu Aug 14 12:48:52 2014 +0000
+++ b/sys/fs/ptyfs/ptyfs_vfsops.c       Thu Aug 14 14:06:53 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ptyfs_vfsops.c,v 1.51 2014/08/13 14:10:00 hannken Exp $        */
+/*     $NetBSD: ptyfs_vfsops.c,v 1.52 2014/08/14 14:06:53 maxv Exp $   */
 
 /*
  * Copyright (c) 1992, 1993, 1995
@@ -38,7 +38,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ptyfs_vfsops.c,v 1.51 2014/08/13 14:10:00 hannken Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ptyfs_vfsops.c,v 1.52 2014/08/14 14:06:53 maxv Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -266,8 +266,10 @@
 
        if (args == NULL)
                return EINVAL;
-       if (*data_len != sizeof *args && *data_len != OSIZE)
-               return EINVAL;
+       if (*data_len != sizeof *args) {
+               if (*data_len != OSIZE || args->version >= PTYFS_ARGSVERSION)
+                       return EINVAL;
+       }
 
        if (UIO_MX & (UIO_MX - 1)) {
                log(LOG_ERR, "ptyfs: invalid directory entry size");