File
|
Last Change |
|---|---|
branches/
|
6420 (10 years ago) by laffer1: branch moved |
|
release/
|
7728 (7 years ago) by root: MidnightBSD 0.8-RELEASE |
|
stable/
|
7769 (7 years ago) by laffer1: MFC: refactor select count * for indeses, check for NULL before freeing memory in index structures, handle strdup cases properly with data == null |
|
svnadmin/
|
6424 (10 years ago) by laffer1: set props |
|
trunk/
|
7940 (7 years ago) by laffer1: Fix panics triggered by older mfiutil binaries run on the new mfi(4) driver. The new driver changed the size of the mfi_dcmd_frame structure in such a way that a MFI_IOC_PASSTHRU ioctl from an old amd64 binary is treated as an MFI_IOC_PASSTHRU32 ioctl in the new driver. As a result, the user pointer is treated as the buffer length. mfi_user_command() doesn't have a bounds check on the buffer length, so it passes a really big value to malloc() which panics when it tries to exhaust the kmem_map. Fix this two ways: - Only honor MFI_IOC_PASSTHRU32 if the binary has the SV_ILP32 flag set, otherwise treat it as an unknown ioctl. - Add a bounds check on the buffer length passed by the user. For now it fails any user attempts to use a buffer larger than 1MB. While here, fix a few other nits: - Remove an unnecessary check for a NULL return from malloc(M_WAITOK). - Use the ENOTTY errno for invalid ioctl commands instead of ENOENT. |
|
vendor/
|
7737 (7 years ago) by laffer1: tag 2016f |
|
vendor-crypto/
|
7390 (8 years ago) by laffer1: tag openssl 1.0.1q |