tacit/minix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

validated returned length value

Browse Source 
Make sure the service isn't lying about the amount of bytes it wrote into vaddr. This prevents possible out of bound reads and writes by callers that rely on and trust the length value returned by the server.
This commit is contained in:
Ilja van Sprundel 2019-10-03 15:26:53 +02:00 committed by GitHub
parent fc1b542624
commit c83104101c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
minix/lib/libsys/ds.c
View File

@ -141,6 +141,9 @@ static int ds_retrieve_raw(const char *ds_name, char *vaddr, size_t *length,
m.m_ds_req.val_len = *length;
m.m_ds_req.flags = flags;
r = do_invoke_ds(&m, DS_RETRIEVE, ds_name);
if (m.m_ds_reply.val_len > *length) {
return EINVAL;
}
*length = m.m_ds_reply.val_len;
cpf_revoke(gid);