tacit/minix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add a bounds check

Browse Source 
This change adds a bounds check to make sure count is not larger than MAX_PARAMS when copying data from the caller. This prevents a buffer overflow from occurring.
This commit is contained in:
Ilja van Sprundel 2019-10-03 15:18:52 +02:00 committed by GitHub
parent 12bc3e2937
commit fc1b542624
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
minix/drivers/vmm_guest/vbox/hgcm.c
View File

@ -575,7 +575,7 @@ static int do_call(message *m_ptr, int ipc_status, int *code)
hgcm_conn[conn].req[req].grant = m_ptr->VBOX_GRANT; hgcm_conn[conn].req[req].grant = m_ptr->VBOX_GRANT;
hgcm_conn[conn].req[req].count = count; hgcm_conn[conn].req[req].count = count;
if (count > 0) { if (count > 0 && count <= MAX_PARAMS) {
if ((r = sys_safecopyfrom(m_ptr->m_source, m_ptr->VBOX_GRANT, if ((r = sys_safecopyfrom(m_ptr->m_source, m_ptr->VBOX_GRANT,
0, (vir_bytes) hgcm_conn[conn].req[req].param, 0, (vir_bytes) hgcm_conn[conn].req[req].param,
count * sizeof(vbox_param_t))) != OK) count * sizeof(vbox_param_t))) != OK)