[src/trunk]: src/sys/coda Correct incomplete size checks for the coda ioctls....

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/65d74894cd91
branches:  trunk
changeset: 756515:65d74894cd91
user:      christos <christos%NetBSD.org@localhost>
date:      Tue Jul 20 17:26:03 2010 +0000

description:
Correct incomplete size checks for the coda ioctls. From Dan Rosenberg.

diffstat:

 sys/coda/coda.h       |  6 +++---
 sys/coda/coda_venus.c |  6 +++---
 sys/coda/coda_vnops.c |  6 +++---
 3 files changed, 9 insertions(+), 9 deletions(-)

diffs (74 lines):

diff -r 12620c7f534b -r 65d74894cd91 sys/coda/coda.h
--- a/sys/coda/coda.h   Tue Jul 20 16:39:27 2010 +0000
+++ b/sys/coda/coda.h   Tue Jul 20 17:26:03 2010 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: coda.h,v 1.15 2009/09/28 10:51:35 blymn Exp $ */
+/* $NetBSD: coda.h,v 1.16 2010/07/20 17:26:03 christos Exp $ */
 
 /*
 
@@ -793,8 +793,8 @@
 #define PIOCPARM_MASK 0x0000ffff
 struct ViceIoctl {
         void *in, *out;                /* Data to be transferred in, or out */
-        short in_size;          /* Size of input buffer <= 2K */
-        short out_size;         /* Maximum size of output buffer, <= 2K */
+        unsigned short in_size; /* Size of input buffer <= 2K */
+        unsigned short out_size;/* Maximum size of output buffer, <= 2K */
 };
 
 struct PioctlData {
diff -r 12620c7f534b -r 65d74894cd91 sys/coda/coda_venus.c
--- a/sys/coda/coda_venus.c     Tue Jul 20 16:39:27 2010 +0000
+++ b/sys/coda/coda_venus.c     Tue Jul 20 17:26:03 2010 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: coda_venus.c,v 1.27 2009/04/18 14:58:02 tsutsui Exp $  */
+/*     $NetBSD: coda_venus.c,v 1.28 2010/07/20 17:26:03 christos Exp $ */
 
 /*
  *
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: coda_venus.c,v 1.27 2009/04/18 14:58:02 tsutsui Exp $");
+__KERNEL_RCSID(0, "$NetBSD: coda_venus.c,v 1.28 2010/07/20 17:26:03 christos Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -308,7 +308,7 @@
     tmp = ((com >> 16) & IOCPARM_MASK) - sizeof (char *) - sizeof (int);
     inp->cmd |= (tmp & IOCPARM_MASK) <<        16;
 
-    if (iap->vi.in_size < 0 || iap->vi.in_size > VC_MAXMSGSIZE) {
+    if (iap->vi.in_size > VC_MAXMSGSIZE || iap->vi.out_size > VC_MAXMSGSIZE) {
        CODA_FREE(inp, coda_ioctl_size);
        return (EINVAL);
     }
diff -r 12620c7f534b -r 65d74894cd91 sys/coda/coda_vnops.c
--- a/sys/coda/coda_vnops.c     Tue Jul 20 16:39:27 2010 +0000
+++ b/sys/coda/coda_vnops.c     Tue Jul 20 17:26:03 2010 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: coda_vnops.c,v 1.75 2010/07/01 13:00:54 hannken Exp $  */
+/*     $NetBSD: coda_vnops.c,v 1.76 2010/07/20 17:26:03 christos Exp $ */
 
 /*
  *
@@ -46,7 +46,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: coda_vnops.c,v 1.75 2010/07/01 13:00:54 hannken Exp $");
+__KERNEL_RCSID(0, "$NetBSD: coda_vnops.c,v 1.76 2010/07/20 17:26:03 christos Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -539,7 +539,7 @@
        return(EINVAL);
     }
 
-    if (iap->vi.in_size > VC_MAXDATASIZE) {
+    if (iap->vi.in_size > VC_MAXDATASIZE || iap->vi.out_size > VC_MAXDATASIZE) {
        vrele(tvp);
        return(EINVAL);
     }