Change Details

sndstat_ioctl() receives a user-supplied sndstioc_nv_arg struct, however we currently do not check whether sndstioc_nv_arg->nbytes is valid, which results in a panic when SNDSTIOC_ADD_USER_DEVS is called with an invalid size. sndstat_add_user_devs() calls sndstat_unpack_user_nvlbuf(), which then calls malloc() with that size. Even though this bug is related to SNDSTIOC_ADD_USER_DEVS, add these checks in sndstat_ioctl() for robustness. PR: 266142 Sponsored by: The FreeBSD Foundation MFC after: 3 days

SNDSTIOC_ADD_USER_DEVS* expects a user-supplied sndstioc_nv_arg->nbytes, however we currently do not check whether this size is actually valid, which results in a panic when SNDSTIOC_ADD_USER_DEVS* is called with an invalid size. sndstat_add_user_devs() calls sndstat_unpack_user_nvlbuf(), which then calls malloc() with that size. PR: 266142 Sponsored by: The FreeBSD Foundation MFC after: 3 days

sndstat_ioctl() receiveSNDSTIOC_ADD_USER_DEVS* expects a user-supplied sndstioc_nv_arg struct, however->nbytes, however we currently do not check whether sndstioc_nv_arg->nbytes isthis size is actually valid, which results in a panic when SNDSTIOC_ADD_USER_DEVS* is called with an invalid size. sndstat_add_user_devs() calls sndstat_unpack_user_nvlbuf(), which then calls malloc() with that size. Even though this bug is related to SNDSTIOC_ADD_USER_DEVS, add these checks in sndstat_ioctl() for robustness. PR: 266142 Sponsored by: The FreeBSD Foundation MFC after: 3 days