diff options
author | Xi Wang <[email protected]> | 2019-09-19 10:31:04 -0700 |
---|---|---|
committer | Frans Kaashoek <[email protected]> | 2019-09-23 20:01:56 -0400 |
commit | 9ead904afef8d060c2cc5cee6bd8e8d223de8c40 (patch) | |
tree | a57ab6072b772c00ad4de414ecfd58c2bf6789ef /kernel/file.c | |
parent | 37df68e5dedbf2a26c2bf0bdae090b206ce78b48 (diff) | |
download | xv6-labs-9ead904afef8d060c2cc5cee6bd8e8d223de8c40.tar.gz xv6-labs-9ead904afef8d060c2cc5cee6bd8e8d223de8c40.tar.bz2 xv6-labs-9ead904afef8d060c2cc5cee6bd8e8d223de8c40.zip |
fix major validation
fileread/filewrite should validate major to avoid buffer overflows
or bogus function pointers.
Diffstat (limited to 'kernel/file.c')
-rw-r--r-- | kernel/file.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/kernel/file.c b/kernel/file.c index fc87c09..116eb97 100644 --- a/kernel/file.c +++ b/kernel/file.c @@ -114,6 +114,8 @@ fileread(struct file *f, uint64 addr, int n) if(f->type == FD_PIPE){ r = piperead(f->pipe, addr, n); } else if(f->type == FD_DEVICE){ + if(f->major < 0 || f->major >= NDEV || !devsw[f->major].read) + return -1; r = devsw[f->major].read(1, addr, n); } else if(f->type == FD_INODE){ ilock(f->ip); @@ -140,6 +142,8 @@ filewrite(struct file *f, uint64 addr, int n) if(f->type == FD_PIPE){ ret = pipewrite(f->pipe, addr, n); } else if(f->type == FD_DEVICE){ + if(f->major < 0 || f->major >= NDEV || !devsw[f->major].write) + return -1; ret = devsw[f->major].write(1, addr, n); } else if(f->type == FD_INODE){ // write a few blocks at a time to avoid exceeding |