HomeFreeBSD

sound: Check user-supplied size passed to SNDSTIOC_ADD_USER_DEVS*

Description

sound: Check user-supplied size passed to SNDSTIOC_ADD_USER_DEVS*

SNDSTIOC_ADD_USER_DEVS* expects a user-supplied sndstioc_nv_arg->nbytes,
however we currently do not check whether this size is actually valid,
which results in a panic when SNDSTIOC_ADD_USER_DEVS* is called with an
invalid size. sndstat_add_user_devs() calls
sndstat_unpack_user_nvlbuf(), which then calls malloc() with that size.

PR: 266142
Sponsored by: The FreeBSD Foundation
MFC after: 1 day
Reviewed by: brooks
Differential Revision: https://reviews.freebsd.org/D45236

(cherry picked from commit 074d337ad618f9cc2a1d5ab18b484928e57bd72b)

Details

Provenance
christosAuthored on Mon, May 20, 2:18 PM
Reviewer
brooks
Differential Revision
D45236: sound: Check user-supplied size passed to SNDSTIOC_ADD_USER_DEVS*
Parents
rGbca6f391aed9: sound: Prevent uninitialized variable destruction in chn_init()
Branches
Unknown
Tags
Unknown