summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorXi Wang <[email protected]>2019-09-19 10:31:04 -0700
committerFrans Kaashoek <[email protected]>2019-09-23 20:01:56 -0400
commit9ead904afef8d060c2cc5cee6bd8e8d223de8c40 (patch)
treea57ab6072b772c00ad4de414ecfd58c2bf6789ef
parent37df68e5dedbf2a26c2bf0bdae090b206ce78b48 (diff)
downloadxv6-labs-9ead904afef8d060c2cc5cee6bd8e8d223de8c40.tar.gz
xv6-labs-9ead904afef8d060c2cc5cee6bd8e8d223de8c40.tar.bz2
xv6-labs-9ead904afef8d060c2cc5cee6bd8e8d223de8c40.zip
fix major validation
fileread/filewrite should validate major to avoid buffer overflows or bogus function pointers.
-rw-r--r--kernel/file.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/kernel/file.c b/kernel/file.c
index fc87c09..116eb97 100644
--- a/kernel/file.c
+++ b/kernel/file.c
@@ -114,6 +114,8 @@ fileread(struct file *f, uint64 addr, int n)
if(f->type == FD_PIPE){
r = piperead(f->pipe, addr, n);
} else if(f->type == FD_DEVICE){
+ if(f->major < 0 || f->major >= NDEV || !devsw[f->major].read)
+ return -1;
r = devsw[f->major].read(1, addr, n);
} else if(f->type == FD_INODE){
ilock(f->ip);
@@ -140,6 +142,8 @@ filewrite(struct file *f, uint64 addr, int n)
if(f->type == FD_PIPE){
ret = pipewrite(f->pipe, addr, n);
} else if(f->type == FD_DEVICE){
+ if(f->major < 0 || f->major >= NDEV || !devsw[f->major].write)
+ return -1;
ret = devsw[f->major].write(1, addr, n);
} else if(f->type == FD_INODE){
// write a few blocks at a time to avoid exceeding