Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/coda When validating the mount device string make sure i...



details:   https://anonhg.NetBSD.org/src/rev/564f2515d9b3
branches:  trunk
changeset: 957148:564f2515d9b3
user:      hannken <hannken%NetBSD.org@localhost>
date:      Fri Nov 20 10:08:47 2020 +0000

description:
When validating the mount device string make sure its length
is below *data_len and below PATH_MAX.

Reported-by: syzbot+2d3af801141509cc858c%syzkaller.appspotmail.com@localhost

diffstat:

 sys/coda/coda_vfsops.c |  10 +++++++---
 1 files changed, 7 insertions(+), 3 deletions(-)

diffs (31 lines):

diff -r 1794167836fd -r 564f2515d9b3 sys/coda/coda_vfsops.c
--- a/sys/coda/coda_vfsops.c    Fri Nov 20 01:29:46 2020 +0000
+++ b/sys/coda/coda_vfsops.c    Fri Nov 20 10:08:47 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: coda_vfsops.c,v 1.88 2020/11/14 11:41:29 hannken Exp $ */
+/*     $NetBSD: coda_vfsops.c,v 1.89 2020/11/20 10:08:47 hannken Exp $ */
 
 /*
  *
@@ -45,7 +45,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: coda_vfsops.c,v 1.88 2020/11/14 11:41:29 hannken Exp $");
+__KERNEL_RCSID(0, "$NetBSD: coda_vfsops.c,v 1.89 2020/11/20 10:08:47 hannken Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -197,7 +197,11 @@
      * fixed default size for the filename buffer.
      */
     /* Ensure that namei() doesn't run off the filename buffer */
-    ((char *)data)[*data_len - 1] = 0;
+    if (*data_len < 1 || *data_len > PATH_MAX ||
+       strnlen(data, *data_len) >= *data_len) {
+       MARK_INT_FAIL(CODA_MOUNT_STATS);
+       return EINVAL;
+    }
     error = namei_simple_kernel((char *)data, NSM_FOLLOW_NOEMULROOT,
                &dvp);
 



Home | Main Index | Thread Index | Old Index