doc/share/security/patches/SA-03:16/filedesc.patch

Index: sys/kern/sys_generic.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/sys_generic.c,v
retrieving revision 1.55.2.10
diff -c -r1.55.2.10 sys_generic.c
*** sys/kern/sys_generic.c	17 Mar 2001 10:39:32 -0000	1.55.2.10
--- sys/kern/sys_generic.c	23 Sep 2003 17:52:41 -0000
***************
*** 231,237 ****
  	register struct filedesc *fdp = p->p_fd;
  	struct uio auio;
  	register struct iovec *iov;
! 	struct iovec *needfree;
  	struct iovec aiov[UIO_SMALLIOV];
  	long i, cnt, error = 0;
  	u_int iovlen;
--- 231,237 ----
  	register struct filedesc *fdp = p->p_fd;
  	struct uio auio;
  	register struct iovec *iov;
! 	struct iovec *needfree = NULL;
  	struct iovec aiov[UIO_SMALLIOV];
  	long i, cnt, error = 0;
  	u_int iovlen;
***************
*** 245,258 ****
  	/* note: can't use iovlen until iovcnt is validated */
  	iovlen = uap->iovcnt * sizeof (struct iovec);
  	if (uap->iovcnt > UIO_SMALLIOV) {
! 		if (uap->iovcnt > UIO_MAXIOV)
! 			return (EINVAL);
  		MALLOC(iov, struct iovec *, iovlen, M_IOV, M_WAITOK);
  		needfree = iov;
! 	} else {
  		iov = aiov;
- 		needfree = NULL;
- 	}
  	auio.uio_iov = iov;
  	auio.uio_iovcnt = uap->iovcnt;
  	auio.uio_rw = UIO_READ;
--- 245,258 ----
  	/* note: can't use iovlen until iovcnt is validated */
  	iovlen = uap->iovcnt * sizeof (struct iovec);
  	if (uap->iovcnt > UIO_SMALLIOV) {
! 		if (uap->iovcnt > UIO_MAXIOV) {
! 			error = EINVAL;
! 			goto done;
! 		}
  		MALLOC(iov, struct iovec *, iovlen, M_IOV, M_WAITOK);
  		needfree = iov;
! 	} else
  		iov = aiov;
  	auio.uio_iov = iov;
  	auio.uio_iovcnt = uap->iovcnt;
  	auio.uio_rw = UIO_READ;
Import FreeBSD Security Advisories and Errata Notices, as well as their patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so) 2012-08-15 08:19:40 +02:00			`Index: sys/kern/sys_generic.c`
			`===================================================================`
			`RCS file: /home/ncvs/src/sys/kern/sys_generic.c,v`
			`retrieving revision 1.55.2.10`
			`diff -c -r1.55.2.10 sys_generic.c`
			`*** sys/kern/sys_generic.c 17 Mar 2001 10:39:32 -0000 1.55.2.10`
			`--- sys/kern/sys_generic.c 23 Sep 2003 17:52:41 -0000`
			`***************`
			`* 231,237 **`
			`register struct filedesc *fdp = p->p_fd;`
			`struct uio auio;`
			`register struct iovec *iov;`
			`! struct iovec *needfree;`
			`struct iovec aiov[UIO_SMALLIOV];`
			`long i, cnt, error = 0;`
			`u_int iovlen;`
			`--- 231,237 ----`
			`register struct filedesc *fdp = p->p_fd;`
			`struct uio auio;`
			`register struct iovec *iov;`
			`! struct iovec *needfree = NULL;`
			`struct iovec aiov[UIO_SMALLIOV];`
			`long i, cnt, error = 0;`
			`u_int iovlen;`
			`***************`
			`* 245,258 **`
			`/* note: can't use iovlen until iovcnt is validated */`
			`iovlen = uap->iovcnt * sizeof (struct iovec);`
			`if (uap->iovcnt > UIO_SMALLIOV) {`
			`! if (uap->iovcnt > UIO_MAXIOV)`
			`! return (EINVAL);`
			`MALLOC(iov, struct iovec *, iovlen, M_IOV, M_WAITOK);`
			`needfree = iov;`
			`! } else {`
			`iov = aiov;`
			`- needfree = NULL;`
			`- }`
			`auio.uio_iov = iov;`
			`auio.uio_iovcnt = uap->iovcnt;`
			`auio.uio_rw = UIO_READ;`
			`--- 245,258 ----`
			`/* note: can't use iovlen until iovcnt is validated */`
			`iovlen = uap->iovcnt * sizeof (struct iovec);`
			`if (uap->iovcnt > UIO_SMALLIOV) {`
			`! if (uap->iovcnt > UIO_MAXIOV) {`
			`! error = EINVAL;`
			`! goto done;`
			`! }`
			`MALLOC(iov, struct iovec *, iovlen, M_IOV, M_WAITOK);`
			`needfree = iov;`
			`! } else`
			`iov = aiov;`
			`auio.uio_iov = iov;`
			`auio.uio_iovcnt = uap->iovcnt;`
			`auio.uio_rw = UIO_READ;`