[src/trunk]: src/sys/compat/svr4 Check bounds in svr4_sys_putmsg. Check more...

[riastradh <riastradh%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/9e844cc3e2b0
branches:  trunk
changeset: 825719:9e844cc3e2b0
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Fri Jul 28 17:52:47 2017 +0000

description:
Check bounds in svr4_sys_putmsg.  Check more svr4_strmcmd bounds.

svr4 streams code is still a disaster.

>From Ilja Van Sprundel.

diffstat:

 sys/compat/svr4/svr4_stream.c |  26 ++++++++++++++++++++------
 1 files changed, 20 insertions(+), 6 deletions(-)

diffs (68 lines):

diff -r 91ec96c973e3 -r 9e844cc3e2b0 sys/compat/svr4/svr4_stream.c
--- a/sys/compat/svr4/svr4_stream.c     Fri Jul 28 17:43:46 2017 +0000
+++ b/sys/compat/svr4/svr4_stream.c     Fri Jul 28 17:52:47 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: svr4_stream.c,v 1.90 2017/07/28 17:43:46 riastradh Exp $        */
+/*     $NetBSD: svr4_stream.c,v 1.91 2017/07/28 17:52:47 riastradh Exp $        */
 
 /*-
  * Copyright (c) 1994, 2008 The NetBSD Foundation, Inc.
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: svr4_stream.c,v 1.90 2017/07/28 17:43:46 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_stream.c,v 1.91 2017/07/28 17:52:47 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/kernel.h>
@@ -533,6 +533,11 @@
 
        if ((error = copyin(NETBSD32PTR(ioc->buf), &lst, ioc->len)) != 0)
                return error;
+       if (lst.offs < 0 ||
+           lst.len < 0 ||
+           lst.len > ioc->len ||
+           ioc->len - lst.len < lst.offs)
+               return EINVAL;
 
        if (lst.cmd != SVR4_TI_OLD_BIND_REQUEST) {
                DPRINTF(("si_listen: bad request %ld\n", lst.cmd));
@@ -777,7 +782,10 @@
                DPRINTF(("ti_bind: bad request %ld\n", bnd.cmd));
                return EINVAL;
        }
-       if (bnd.offs < 0)
+       if (bnd.offs < 0 ||
+           bnd.len < 0 ||
+           bnd.len > ioc->len ||
+           ioc->len - bnd.len < bnd.offs)
                return EINVAL;
 
        switch (st->s_family) {
@@ -1434,7 +1442,10 @@
 
        if ((error = copyin(NETBSD32PTR(ctl.buf), &sc, ctl.len)) != 0)
                goto out;
-       if (sc.offs < 0) {
+       if (sc.offs < 0 ||
+           sc.len < 0 ||
+           sc.len > ctl.len ||
+           sc.offs > ctl.len - sc.len) {
                error = EINVAL;
                goto out;
        }
@@ -1481,8 +1492,11 @@
                        *retval = 0;
                        error = 0;
                        goto out;
-               }
-               else {
+               } else if (sc.len < sizeof(dev_t[2])) {
+                       *retval = 0;
+                       error = EINVAL;
+                       goto out;
+               } else {
                        /* Maybe we've been given a device/inode pair */
                        dev_t *dev = SVR4_ADDROF(&sc);
                        svr4_ino_t *ino = (svr4_ino_t *) &dev[1];