Fix 5 security bugs found by the Stanford tools

author Jeff Hartmann <jhartmann@valinux.com>

Mon, 18 Jun 2001 19:25:15 +0000 (19:25 +0000)

committer Jeff Hartmann <jhartmann@valinux.com>

Mon, 18 Jun 2001 19:25:15 +0000 (19:25 +0000)
author Jeff Hartmann <jhartmann@valinux.com>
Mon, 18 Jun 2001 19:25:15 +0000 (19:25 +0000)
committer Jeff Hartmann <jhartmann@valinux.com>
Mon, 18 Jun 2001 19:25:15 +0000 (19:25 +0000)
diff --git a/linux-core/i810_dma.c b/linux-core/i810_dma.c

index 25caca6..8abf80a 100644 (file)
--- a/linux-core/i810_dma.c
+++ b/linux-core/i810_dma.c
@@ -1094,6 +1094,8 @@ int i810_dma_vertex(struct inode *inode, struct file *filp,
         DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n",
                   vertex.idx, vertex.used, vertex.discard);
  
+       if(vertex.idx < 0 || vertex.idx > dma->buf_count) return -EINVAL;
+
         i810_dma_dispatch_vertex( dev,
                                   dma->buflist[ vertex.idx ],
                                   vertex.discard, vertex.used );
@@ -1222,7 +1224,7 @@ int i810_copybuf(struct inode *inode, struct file *filp, unsigned int cmd,
         if (copy_from_user(&d, (drm_i810_copy_t *)arg, sizeof(d)))
                 return -EFAULT;
  
-       if(d.idx > dma->buf_count) return -EINVAL;
+        if(d.idx < 0 || d.idx > dma->buf_count) return -EINVAL;
         buf = dma->buflist[ d.idx ];
         buf_priv = buf->dev_private;
         if (buf_priv->currently_mapped != I810_BUF_MAPPED) return -EPERM;
diff --git a/linux/i810_dma.c b/linux/i810_dma.c

index 25caca6..8abf80a 100644 (file)
--- a/linux/i810_dma.c
+++ b/linux/i810_dma.c
@@ -1094,6 +1094,8 @@ int i810_dma_vertex(struct inode *inode, struct file *filp,
         DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n",
                   vertex.idx, vertex.used, vertex.discard);
  
+       if(vertex.idx < 0 || vertex.idx > dma->buf_count) return -EINVAL;
+
         i810_dma_dispatch_vertex( dev,
                                   dma->buflist[ vertex.idx ],
                                   vertex.discard, vertex.used );
@@ -1222,7 +1224,7 @@ int i810_copybuf(struct inode *inode, struct file *filp, unsigned int cmd,
         if (copy_from_user(&d, (drm_i810_copy_t *)arg, sizeof(d)))
                 return -EFAULT;
  
-       if(d.idx > dma->buf_count) return -EINVAL;
+        if(d.idx < 0 || d.idx > dma->buf_count) return -EINVAL;
         buf = dma->buflist[ d.idx ];
         buf_priv = buf->dev_private;
         if (buf_priv->currently_mapped != I810_BUF_MAPPED) return -EPERM;
diff --git a/linux/mga_state.c b/linux/mga_state.c

index 99778c5..41b2e9a 100644 (file)
--- a/linux/mga_state.c
+++ b/linux/mga_state.c
@@ -943,6 +943,7 @@ int mga_dma_vertex( struct inode *inode, struct file *filp,
                              sizeof(vertex) ) )
                 return -EFAULT;
  
+        if(vertex.idx < 0 || vertex.idx > dma->buf_count) return -EINVAL;
         buf = dma->buflist[vertex.idx];
         buf_priv = buf->dev_private;
  
@@ -984,6 +985,8 @@ int mga_dma_indices( struct inode *inode, struct file *filp,
                              sizeof(indices) ) )
                 return -EFAULT;
  
+        if(indices.idx < 0 || indices.idx > dma->buf_count) return -EINVAL;
+
         buf = dma->buflist[indices.idx];
         buf_priv = buf->dev_private;
  
@@ -1030,6 +1033,7 @@ int mga_dma_iload( struct inode *inode, struct file *filp,
                 return -EBUSY;
         }
  #endif
+        if(iload.idx < 0 || iload.idx > dma->buf_count) return -EINVAL;
  
         buf = dma->buflist[iload.idx];
         buf_priv = buf->dev_private;
author	Jeff Hartmann <jhartmann@valinux.com>
	Mon, 18 Jun 2001 19:25:15 +0000 (19:25 +0000)
committer	Jeff Hartmann <jhartmann@valinux.com>
	Mon, 18 Jun 2001 19:25:15 +0000 (19:25 +0000)
linux-core/i810_dma.c		patch \| blob \| history
linux/i810_dma.c		patch \| blob \| history
linux/mga_state.c		patch \| blob \| history