From fc1b542624e72765c66f2d948408830b47a571eb Mon Sep 17 00:00:00 2001 From: Ilja van Sprundel Date: Thu, 3 Oct 2019 15:18:52 +0200 Subject: [PATCH] add a bounds check This change adds a bounds check to make sure count is not larger than MAX_PARAMS when copying data from the caller. This prevents a buffer overflow from occurring. --- minix/drivers/vmm_guest/vbox/hgcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/minix/drivers/vmm_guest/vbox/hgcm.c b/minix/drivers/vmm_guest/vbox/hgcm.c index c230e1d02..605f9f5c2 100644 --- a/minix/drivers/vmm_guest/vbox/hgcm.c +++ b/minix/drivers/vmm_guest/vbox/hgcm.c @@ -575,7 +575,7 @@ static int do_call(message *m_ptr, int ipc_status, int *code) hgcm_conn[conn].req[req].grant = m_ptr->VBOX_GRANT; hgcm_conn[conn].req[req].count = count; - if (count > 0) { + if (count > 0 && count <= MAX_PARAMS) { if ((r = sys_safecopyfrom(m_ptr->m_source, m_ptr->VBOX_GRANT, 0, (vir_bytes) hgcm_conn[conn].req[req].param, count * sizeof(vbox_param_t))) != OK)