]> CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit
projects / FreeBSD / FreeBSD.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: ebeaf16) | patch
Don't try to copyout() to a kernel buffer.
authorjhb <jhb@FreeBSD.org>
Fri, 17 Apr 2020 18:19:13 +0000 (18:19 +0000)
committerjhb <jhb@FreeBSD.org>
Fri, 17 Apr 2020 18:19:13 +0000 (18:19 +0000)
commitfe1f8465b1f322bd7367343e62ce72d9fb5e45c3
treeb9efbba145d82a543797287a311f99f4d138b79atree | snapshot
parentebeaf1673a4eaed2cb977ec59f0cbae552feff56commit | diff
Don't try to copyout() to a kernel buffer.

The handle_string callback for the ENCIOC_GET_ENCNAME and
ENCIOC_GETENCID ioctls tries to copy the size of the generated string
out to userland.  However, the callback only has access to the kernel
copy of the structure populated by copyin().  The copyout() call
simply overwrites the value in the kernel's copy preventing the
subsequent overflow prevention logic from working.

Fix this by instead doing a copyout() of the updated length in the
caller after the callback returns.

Reviewed by: kib
Obtained from: CheriBSD
Sponsored by: DARPA
Differential Revision: https://reviews.freebsd.org/D24456
sys/cam/scsi/scsi_enc.c diff | blob | history
sys/cam/scsi/scsi_enc_ses.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.