Validate whether the zfs_cmd_t submitted from userland is not smaller than

what we have. Without the check the kernel could accessing memory that does not belong to the request struct. Note that we do not test if the struct equals in size at this time, which may faciliate forward compatibility with newer binaries. Reviewed by: pjd at MeetBSD CA '2010 MFC after: 1 week
svn path=/head/; revision=214854
2025-01-19 15:33:56 +00:00 · 2010-11-05 22:18:09 +00:00 · 2010-11-05 22:18:09 +00:00 · b97a9057c2 · 2020-12-20 02:59:44 +00:00
commit b97a9057c2
parent 5aa39e6a7e
1 changed files with 8 additions and 0 deletions
--- a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c
+++ b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c
@ -3627,6 +3627,14 @@ zfsdev_ioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flag,
 	uint_t vec;
 	int error;

+	/*
+	 * Check if we have sufficient kernel memory allocated
+	 * for the zfs_cmd_t request.  Bail out if not so we
+	 * will not access undefined memory region.
+	 */
+	if (IOCPARM_LEN(cmd) < sizeof(zfs_cmd_t))
+		return (EINVAL);
+
 	vec = ZFS_IOC(cmd);

 	if (vec >= sizeof (zfs_ioc_vec) / sizeof (zfs_ioc_vec[0]))